For details see:
https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.32.html
"Notes for BIND 9.11.32
Feature Changes
DNSSEC responses containing NSEC3 records with iteration counts
greater than 150 are now treated as insecure. [GL #2445]
The maximum supported number of NSEC3 iterations that can be
configured for a zone has been reduced to 150. [GL #2642]
The implementation of the ZONEMD RR type has been updated to match
RFC 8976. [GL #2658]
Notes for BIND 9.11.31
Security Fixes
A malformed incoming IXFR transfer could trigger an assertion
failure in named, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. [GL #2467]
named crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
query. (CVE-2021-25215)
ISC would like to thank Siva Kakarla for bringing this vulnerability
to our attention. [GL #2540]
When a server's configuration set the tkey-gssapi-keytab
or tkey-gssapi-credential option, a specially crafted GSS-TSIG query
could cause a buffer overflow in the ISC implementation of SPNEGO
(a protocol enabling negotiation of the security mechanism used for
GSSAPI authentication). This flaw could be exploited to crash named
binaries compiled for 64-bit platforms, and could enable remote code
execution when named was compiled for 32-bit platforms.
(CVE-2021-25216)
This vulnerability was reported to us as ZDI-CAN-13347 by Trend
Micro Zero Day Initiative. [GL #2604]
Feature Changes
The ISC implementation of SPNEGO was removed from BIND 9 source
code. Instead, BIND 9 now always uses the SPNEGO implementation
provided by the system GSSAPI library when it is built with GSSAPI
support. All major contemporary Kerberos/GSSAPI libraries contain
an implementation of the SPNEGO mechanism. [GL #2607]
Notes for BIND 9.11.30
The BIND 9.11.30 release was withdrawn after a backporting bug was
discovered during pre-release testing. ISC would like to acknowledge the
assistance of Natan Segal of Bluecat Networks.2"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 2.2.0 to 2.4.7
- Migrate from python2 to python3
- Move the rootfile from common to packages as pyparsing is an addon
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- python3-setuptools works with python3-daemon but not with
python-m2crypto. m2crypto has to stay with python2 because crda
will not find the python3 version of m2crypto.
- python-m2crypto only works with python-setuptools so both the
python2 and python3 versions of setuptools need to stay in place.
- Therefore this patch only creates python3-setuptools, it does not
remove python-setuptools
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 10.3.0 to 10.3.2
- Update rootfiles
- Changelog
* 10.3.2: release
* Fix problem that caused the generated manual from being included
in the Windows distributions. Fixes#521.
* Fix 11-year-old bug of leaving unreferenced objects in preserved
object streams. Fixes#520.
* Portability fix: use tm_gmtoff rather than global timezone
variable if available to get timezone offset. This fixes
compilation on BSD and also results in a daylight saving
time-aware offset for Linux or other GNU systems. Fixes#515.
* When adding a page, if the page already exists, make a shallow
copy of the page instead of throwing an exception. This makes the
behavior of adding a page from the library consistent with what
the CLI does and also with what the library does if it starts with
a file that already has a duplicated page. Note that this means
that, in some cases, the page you pass to addPage or addPageAt
(either in QPDF or QPDFPageDocumentHelper) will not be the same
object that actually gets added. (This has actually always been
the case.) That means that, if you are going to do subsequent
modification on the page, you should retrieve it again.
* 10.3.1: release
* Bug fix: allow /DR to be direct in /AcroForm
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 2.68.1 to 2.68.2
- Update rootfiles
- Changelog
Overview of changes in GLib 2.68.2
* Fix building third-party projects against GLib on CentOS 7 (work by
Ignacio Casal Quinteiro) (#2387)
* Bugs fixed:
- #2387 json-glib does not build with glib 2.68.1
- !2060 gmacros: check that __cplusplus or _MSC_VER is defined
- !2068 gmacros: missing check if __STDC_VERSION__ is defined
- !2079 Backport !2078 “gthreadedresolver: don't ignore flags in lookup_by_name_with_flags” to glib-2-68
* Translation updates:
- Nepali
- Serbian
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 1.3.2 to 1.3.3
- Update rootfiles
- Changelog
General:
Fix CPU detection (Janne Hyvärinen).
Switch from unsigned types to uint32_t (erikd).
CppCheck fixes (erikd).
Improve SIMD decoding of 24 bit files (lvqcl).
POWER* amnd POWER9 improvements (Anton Blanchard).
More tests.
FLAC format:
(none)
Ogg FLAC format:
(none)
flac:
When converting to WAV, use WAVEFORMATEXTENSIBLE when bits per
second is not 8 or 16 (erikd).
Fix --output-prefix with input-files in sub-directories (orbea).
metaflac:
(none)
plugins:
(none)
build system:
Cmake support (Vitaliy Kirsanov, evpobr).
Visual Studio updates (Janne Hyvärinen).
Fix for MSVC when UNICODE is enabled (lvqcl).
Fix for OpenBSD/i386 (Christian Weisgerber).
documentation:
(none)
libraries:
(none).
Interface changes:
libFLAC:
(none)
libFLAC++:
(none)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These include rootfiles, firewall menue entries that have been
unmaintained for a long time, and firewall chains which were never used
in recent time.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This library has received no attention within the last three years. By
design, UPnP is a security risk on any firewall, and and outdated
version of a UPnP library definitely is.
This patch therefore drops libupnp completely.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 10.1 to 10.2
- Update rootfiles
- Changelog
GDB 10.2 brings the following fixes and enhancements over GDB 10.1:
* PR remote/26614 (AddressSanitizer: heap-use-after-free of extended_remote_target in remote_async_inferior_event_handler)
* PR gdb/26828 (SIGSEGV in follow_die_offset dwarf2/read.c:22950)
* PR gdb/26861 (internal-error: void target_mourn_inferior(ptid_t): Assertion `ptid == inferior_ptid' failed. OS: Mac OSX Catalina; Compiler: GCC; Language: C)
* PR gdb/26876 (gdb error: internal-error: Unknown CFA rule when debugging the linux kernel with qemu)
* PR breakpoints/26881 (infrun.c:6384: internal-error: void process_event_stop_test(execution_control_state*): Assertion `ecs->event_thread->control.exception_resume_breakpoint != NULL' failed)
* PR gdb/26901 (Array subscript fails with flexible array member without size)
* PR tui/26973 (gdb crashes when not including the status window in a new layout)
* PR python/26974 (Wrong Value.format_string docu for static members argument)
* PR breakpoints/27009 ([s390] GDB branches randomly for BC instruction while displaced stepping)
* PR tdep/27015 (ARC: "eret" value is collected from the wrong data in register cache)
* PR backtrace/27147 ([GNU/Linux, sparc64] GDB is unable to print full stack trace (got "previous frame inner to this frame" errors))
* PR rust/27194 (put rust demangler on 10.x branch)
* PR threads/27239 (gdb/cp-support.c:1619:(.text+0x5502): relocation truncated to fit: R_X86_64_PC32 against undefined symbol `TLS init function for thread_local_segv_handler')
* PR breakpoints/27330 (nextoverthrow.exp FAILs on arm-none-eabi)
* PR symtab/27333 ([dwarf-5] abort on unhandled DW_TAG_type_unit in process_psymtab_comp_unit)
* PR fortran/27341 ([dwarf-5] FAIL: gdb.fortran/function-calls.exp: p derived_types_and_module_calls::pass_cart_nd(c_nd))
* PR tdep/27369 (ARC: Stepping over atomic instruction sequences loops infinitely)
* PR build/27385 (Cannot compile arc.c with gcc-4.8 (error: no matching function for call to 'std::pair...'))
* PR gdb/27435 (Attach on solaris segfaults GDB)
* PR build/27535 (amd64-linux-siginfo.c fails to compile after updating to glibc-2.33 headers)
* PR build/27536 (aarch64-linux-hw-point.c fails to compile after updating to glibc-2.33)
* PR symtab/27541 (gdb crashes on "file -readnow")
* PR gdb/27750 (local variables have wrong address and values on sparc64)
* PR varobj/27757 (-var-list-children coredump)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is only needed in case of bounces generated by locally emitted
messages. We neither store these, nor do we create mail boxes on a
firewall. Safe to drop.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
