For details see:
https://blog.clamav.net/2023/10/clamav-121-113-104-010311-patch.html
Excerpt:
"ClamAV 1.2.1 is a patch release with the following fixes:
Eliminate security warning about unused "atty" dependency.
Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.
Build system: Fix link error with Clang/LLVM/LLD version 17. Patch courtesy of Yasuhiro Kimura.
Fix alert-exceeds-max feature for files > 2GB and < max-filesize."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
This will affect new IPFire installations only, implementing a
long-standing BCP for preemptively combating botnet spam. Reject is
chosen over drop to reduce the likelihood for confusion during network
troubleshooting.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 11.5.0 to 11.6.1
- Update of rootfile
- Changelog
11.6.1: release
* Fix a logic error introduced in 11.6.0 in the fix to
copyForeignObject. The bug could result in some pages not being
copied.
11.6.0: release
* ascii85 parser: ignore spaces everywhere including between ~
and >. Fixes#973.
* Bug fix: with --pages, if one of the external files had warnings
but the main file did not, the warning was previously not taken
into consideration when determining the exit status.
* Put quotation marks around the command in completion output to
better handle spaces in paths. It is not a perfect fix (ideally,
full shell-compatible quoting should be used), but it handles more
cases than the old code and should handle all reasonable cases of
qpdf being in a directory with a space in its name, which is
common in Windows. Fixes#1021.
* Move check for random number device to runtime instead of
compile time. Since, by default, the crypto provider provides
random numbers, runtime determination of a random number device is
usually not needed. Fixes#1022.
* Maintain links to foreign pages when copying foreign objects.
This allows hyperlinks in imported files to work. Fixes#1003.
* Bug fix: Return a null object if an attempt is made to to copy a
foreign /Pages object with copyForeignObject. This corrects a
possible crash. Fixes#1010.
* Bug fix: Return a null object if an attempt is made to to copy a
foreign /Pages object with copyForeignObject. Fixes#1003.
* Add /MediaBox to a page if absent. Thanks M. Holger.
* Use std::vector internally for Pl_Buffer to
avoid incompatibility with C++20. Thanks to Zoe Clifford. Fixes#1024.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.6 to 1.7
- This project had little happen to it for 5 years but is now going again
https://jqlang.github.io/jq/
- Update of rootfile
- Changelog
1.7
After a five year hiatus we're back with a GitHub organization, with new admins
and new maintainers who have brought a great deal of energy to make a
long-awaited and long-needed new release. We're very grateful for all the new
owners, admins, and maintainers. Special thanks go to Owen Ou (@owenthereal)
for pushing to set up a new GitHub organization for jq, Stephen Dolan (@stedolan)
for transferring the jq repository to the new organization, @itchyny for doing a
great deal of work to get the release done, Mattias Wadman (@wader) and Emanuele
Torre (@emanuele6) for many PRs and code reviews. Many others also contributed
PRs, issues, and code reviews as well, and you can find their contributions in
the Git log and on the [closed issues and PRs page]
(https://github.com/jqlang/jq/issues?q=is%3Aclosed+sort%3Aupdated-desc).
Since the last stable release many things have happened:
- jq now lives at <https://github.com/jqlang>
- New maintainers, admins, and owners have been recruited.
- A list of [current maintainers](https://github.com/jqlang/jq/blob/jq-1.7/AUTHORS#L4-L14)
- NEWS file is replaced by NEWS.md with Markdown format. @wader #2599
- CI, scan builds, release, website builds etc now use GitHub actions. @owenthereal @wader @itchyny #2596#2603#2620#2723
- Lots of documentation improvements and fixes.
- Website updated with new section search box, better section ids for linking, dark mode, etc. @itchyny #2628
- Release builds for:
- Linux `amd64`, `arm64`, `armel`, `armhf`, `i386`, `mips`, `mips64`, `mips64el`, `mips64r6`, `mips64r6el`, `mipsel`, `mipsr6`, `mipsr6el`, `powerpc`, `ppc64el`, `riscv64` and `s390x`
- macOS `amd64` and `arm64`
- Windows `i386` and `amd64`
- Docker `linux/386`, `linux/amd64`, `linux/arm64`, `linux/mips64le`, `linux/ppc64le`, `linux/riscv64` and `linux/s390x`
- More details see @owenthereal #2665
- Docker images are now available from `ghcr.io/jqlang/jq` instead of Docker Hub. @itchyny #2652#2686
- OSS-fuzz. @DavidKorczynski #2760#2762
Full commit log can be found at <https://github.com/jqlang/jq/compare/jq-1.6...jq-1.7> but here are some highlights:
CLI changes
- Make object key color configurable using `JQ_COLORS` environment variable. @itchyny @haguenau @ericpruitt #2703
- Change the default color of null to Bright Black. @itchyny #2824
- Respect `NO_COLOR` environment variable to disable color output. See <https://no-color.org> for details. @itchyny #2728
- Improved `--help` output. Now mentions all options and nicer order. @itchyny @wader #2747#2766#2799
- Fix multiple issues of exit code using `--exit-code`/`-e` option. @ryo1kato #1697
- Add `--binary`/`-b` on Windows for binary output. To get `\n` instead of `\r\n` line endings. @nicowilliams 0dab2b1
- Add `--raw-output0` for NUL (zero byte) separated output. @asottile @pabs3 @itchyny #1990#2235#2684
- Fix assert crash and validate JSON for `--jsonarg`. @wader #2658
- Remove deprecated `--argfile` option. @itchyny #2768
- Enable stack protection. @nicowilliams #2801
Language changes
- Use decimal number literals to preserve precision. Comparison operations respects precision but arithmetic operations might truncate. @leonid-s-usov #1752
- Adds new builtin `pick(stream)` to emit a projection of the input object or array. @pkoppstein #2656#2779
- Adds new builtin `debug(msgs)` that works like `debug` but applies a filter on the input before writing to stderr. @pkoppstein #2710
- Adds new builtin `scan($re; $flags)`. Was documented but not implemented. @itchyny #1961
- Adds new builtin `abs` to get absolute value. This potentially allows the literal value of numbers to be preserved as `length` and `fabs` convert to float. @pkoppstein #2767
- Allow `if` without `else`-branch. When skipped the `else`-branch will be `.` (identity). @chancez @wader #1825#2481
- Allow use of `$binding` as key in object literals. @nicowilliams 8ea4a55
- Allow dot between chained indexes when using `.["index"]` @nicowilliams #1168
- Allow dot for chained value iterator `.[]`, `.[]?` @wader #2650
- Fix try/catch catches more than it should. @nicowilliams #2750
- Speed up and refactor some builtins, also remove `scalars_or_empty/0`. @muhmuhten #1845
- Now `halt` and `halt_error` exit immediately instead of continuing to the next input. @emanuele6 #2667
- Fix issue converting string to number after previous convert error. @thalman #2400
- Fix issue representing large numbers on some platforms causing invalid JSON output. @itchyny #2661
- Fix deletion using assigning empty against arrays. @itchyny #2133
- Allow keywords to be used as binding name in more places. @emanuele6 #2681
- Allow using `nan` as NaN in JSON. @emanuele6 #2712
- Expose a module's function names in `modulemeta`. @mrwilson #2837
- Fix `contains/1` to handle strings with NUL. @nicowilliams 61cd6db
- Fix `stderr/0` to output raw text without any decoration. @itchyny #2751
- Fix `nth/2` to emit empty on index out of range. @itchyny #2674
- Fix `implode` to not assert and instead replace invalid unicode codepoints. @wader #2646
- Fix `indices/1` and `rindex/1` in case of overlapping matches in strings. @emanuele6 #2718
- Fix `sub/3` to resolve issues involving global search-and-replace (gsub) operations. @pkoppstein #2641
- Fix `significand/0`, `gamma/0` and `drem/2` to be available on macOS. @itchyny #2756#2775
- Fix empty regular expression matches. @itchyny #2677
- Fix overflow exception of the modulo operator. @itchyny #2629
- Fix string multiplication by 0 (and less than 1) to emit empty string. @itchyny #2142
- Fix segfault when using libjq and threads. @thalman #2546
- Fix constant folding of division and reminder with zero divisor. @itchyny #2797
- Fix `error/0`, `error/1` to throw null error. @emanuele6 #2823
- Simpler and faster `transpose`. @pkoppstein #2758
- Simple and efficient implementation of `walk/1`. @pkoppstein #2795
- Remove deprecated filters `leaf_paths`, `recurse_down`. @itchyny #2666
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.14.6 to 1.14.10
- Update of rootfile
- Changelog
dbus 1.14.10 (2023-09-01)
Bug fixes:
• Avoid a dbus-daemon crash if re-creating a connection's policy fails.
If it isn't possible to re-create its policy (for example if it belongs
to a user account that has been deleted or if the Name Service Switch is
broken, on a system not supporting SO_PEERGROUPS), we now log a warning,
continue to use its current policy, and continue to reload other
connections' policies. (dbus#343; Peter Benie, Simon McVittie)
• If getting the groups from a user ID fails, report the error correctly,
instead of logging "(null)" (dbus#343, Simon McVittie)
• Return the primary group ID in GetConnectionCredentials()' UnixGroupIDs
field for processes with a valid-but-empty supplementary group list
(dbus!422, cptpcrd)
dbus 1.14.8 (2023-06-06)
Denial-of-service fixes:
• Fix an assertion failure in dbus-daemon when a privileged Monitoring
connection (dbus-monitor, busctl monitor, gdbus monitor or similar)
is active, and a message from the bus driver cannot be delivered to a
client connection due to <deny> rules or outgoing message quota. This
is a denial of service if triggered maliciously by a local attacker.
(dbus#457; hongjinghao, Simon McVittie)
Other fixes:
• Fix compilation on compilers not supporting __FUNCTION__
(dbus!404, Barnabás Pőcze)
• Fix some memory leaks on out-of-memory conditions
(dbus!403, Barnabás Pőcze)
• Documentation:
· Fix syntax of a code sample in dbus-api-design
(dbus!396; Yen-Chin, Lee)
Tests and CI enhancements:
• Fix CI pipelines after freedesktop/freedesktop#540
(dbus!405, dbus#456; Simon McVittie)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Fixes custom IPFire Zabbix Agent userparameter ipfire.net.gateway.ping
returning 1 (success) when fping failed for other reasons (rc 2,3 or 4)
than host unreachable (rc 0).
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This has been our default setting on x86_64 for quite some time now,
which is why this patch aligns the aarch64 kernel configuration to that
value.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This subsystem has been a frequent source of security vulnerabilities
affecting the Linux kernel; as a result, Google announced on June 14,
2023, that they would disable it in their environment as widely as
possible.
IPFire does not depend on the availability of io_uring. Therefore,
disable this subsystem as well in order to preemptively cut attack
surface.
See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
v4.19.1. => https://www.samba.org/samba/history/samba-4.19.1.html
"
==============================
Release Notes for Samba 4.19.1
October 10, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
existing unix domain sockets on the file system.
https://www.samba.org/samba/security/CVE-2023-3961.html
o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
OVERWRITE disposition when using the acl_xattr Samba VFS
module with the smb.conf setting
"acl_xattr:ignore system acls = yes"
https://www.samba.org/samba/security/CVE-2023-4091.html
o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
attributes, including secrets and passwords. Additionally,
the access check fails open on error conditions.
https://www.samba.org/samba/security/CVE-2023-4154.html
o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
server block for a user-defined amount of time, denying
service.
https://www.samba.org/samba/security/CVE-2023-42669.html
o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
listeners, disrupting service on the AD DC.
https://www.samba.org/samba/security/CVE-2023-42670.html"
v4.19.2 => https://www.samba.org/samba/history/samba-4.19.2.html
"Changes since 4.19.1
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE.
* BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
call.
o Ralph Boehme <slow@samba.org>
* BUG 15463: macOS mdfind returns only 50 results.
o Volker Lendecke <vl@samba.org>
* BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
previous cache entry value.
o Stefan Metzmacher <metze@samba.org>
* BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
Heimdal KDC in Samba 4.19
* BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
in use."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- A script was added to the update.sh script to add pass/no pass to the ovpnconfig entries
but I forgot that this was also needed in the backup.pl file to add those statuses into
any ovpnconfig file restored from a backup before the pass/no pass entries were added.
- This patch corrects that oversight.
- Confirmed by testing on my vm. Before the script added to backup.pl a restore of older
ovpnconfig ended up not showing any icons or status elements. With the script in
backup.pl confirmed that the restored ovpnconfig showed up in the WUI page correctly
with the right icons and with the status elements correctly displayed.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.00 to 3.08
- Update of rootfile
- All the other patches and sed modifications are now built mintyo the source tarball,
except for the mountpoint patch which is stilol needed
- Changelog
3.08
This release focuses on three changes which are basically imports of patches from Gentoo. Special thanks to floppym for supplying these.
Applied a patch from floppm which adds kexec option to the halt command. This can be used as "halt -k".
floppym provided patch which causes the halt command to call "shutdown -h -H" instead of "shutdown -h" when halt is invoked without parameters. This forces the shutdown command to set the INIT_HALT variable and assume, unless other conditions apply, that the "halt" call really wants to halt the machine and INIT_HALT should be set. In other words we assume halt wants to halt unless told otherwise.
Addresses downstream Gentoo bug ID 911257.
Updated halt documentation and help output to display parameters in alphabetical order.
3.07
The 3.07 release of SysV init mostly introduces fixes and improvements for the
killall5 and pidof programs. (These are actually the same program, but are
invoked with two different names, which result in different behaviour. The main
highlights in this release are:
Fixed killall5 so that processes in the omit list are not sent any
signals, including SIGSTOP.
Fixed usage message for killall5 to be more accurate.
pidof was not returning PIDs of programs which were launched using a
symbolic link. This has been fixed so programs run from a symbolic link
show up in process lists.
3.06
Mark Hindley fixed typo in es.po
Mark Hindley cleaned up translation code in src/Makefile.
Drop sulogin from Debian build. Removed libcrypt-dev dependency.
Fixed pt translation pages which were failing due to mis-matched open/close
tags.
Makefile now respects ROOT prefix when setting up pidof-to-killall5 symbolic
link.
Removed redundant translation files from man directory.
Makefile now respects DESTDIR. User can specify either ROOT= or DESTDIR= to
set install prefix.
3.05
This release (3.05) focuses on two things:
Updating the translation framework.
Fixing compiling issues on various systems.
The second point, compiling, encompasses a few minor changes to get SysV init to
build properly on GNU Hurd, systems without certain GNU assumptions, and systems
running the latest glibc library (2.36 at time of writing).
3.04
This release contains one minor fix which allows the bootlogd code to properly
compile on Debian's GNU Hurd branch.
3.03
This release includes two minor changes. One is fixing a typo in the init manual
page (init.8). this fix was offered by Mark hindley.
Mark, and a few other people, also pointed out that a fix in 3.02 for bootlogd
introduced reliance on a defined PATH_MAX constant. This is used elsewhere in
the code, but is not explicitly defined in bootlogd, which caused bootlogd to
not build properly on GNU Hurd and musl C systems. This has been fixed.
3.02
Added q and Q flags to synopsis in shutdown manual page.
Applied fixes for markup and spacing in manual pages.
Patch provided by Mario Blattermann.
Added translation framework (po4a) from Mario Blttermann.
Added Makefile for man/ directory. Will handle translations
and substitutions.
Applied new translations for multiple languages from Mario Blattermann.
Added ability to use "@" symbol in command named in the inittab file. This
treats commands as literal and does not launch a shell to interpret them.
Updated inittab manual page to include overview of symbols which trigger
a shell interpretor and how to disable them using the @ symbol.
Introduced change which adds error checking in bootlogd when performing
chdir(). - Provided by Alexander Vickberg
Add check for console using TIOCGDEV on Linux systems in bootlogd to
make finding console more robust. - Provided by Alexander Vickberg
3.01
Default to showing processes in the uninterruptable state (D).
The -z flag no longer affects whether processes in D state are shown.
The -z flag does still toggle whether zombie (Z) processes are shown.
Removed unnecessary check which is always true from init tab parsing.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This was updated in 180, but we want to make sure that even testing
users get the latest updates.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Looking through some of the changelog and some mail list communications it looks like
qemu decided they did noty want to maintain their own bundled version of libslirp when
the majority of OS's had their own version now in place. Ubuntu 18.04 did not have
libslirp but qemu stopped supporting that version from qemu-7.1
- So it looks like all OS's have a standard libslirp available now and qemu have taken
the decision to no longer have their own version but to use the system version. That
was always possible to do if use of the system version was explicitly defined but
the default was to use the bundled version.
- No evidence that libslirp is deprecated.
- The last version of libslirp was released a year ago but it looks like every month or
so there are a couple of commits merged. The last was a month ago.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.0.3 to 8.1.1
- In CU179 the update of qemu caused at least one user to have a problem starting his
qemu system as the qemu bundled slirp library used for the net user backend was removed
in version 7.2. Unfortunately no user tested qemu in the CU179 Testing phase, or if they
did they are not using the net user backend.
- This patch adds the --enable-slirp option to configure and installs libslirp in a
separate patch.
- I can't test if this now works as I don't use qemu anywhere.
- Changelog is too large to include here.
8.1
https://wiki.qemu.org/ChangeLog/8.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
