For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.58
Excerpt from changelog:
"Changes with Apache 2.4.58
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST (cve.mitre.org)
When a HTTP/2 stream was reset (RST frame) by a client, there
was a time window were the request's memory resources were not
reclaimed immediately. Instead, de-allocation was deferred to
connection close. A client could send new requests and resets,
keeping the connection busy and open and causing the memory
footprint to keep on growing. On connection close, all resources
were reclaimed, but the process might run out of memory before
that.
This was found by the reporter during testing of CVE-2023-44487
(HTTP/2 Rapid Reset Exploit) with their own test client. During
"normal" HTTP/2 use, the probability to hit this bug is very
low. The kept memory would not become noticeable before the
connection closes or times out.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Will Dormann of Vul Labs
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0 (cve.mitre.org)
An attacker, opening a HTTP/2 connection with an initial window
size of 0, was able to block handling of that connection
indefinitely in Apache HTTP Server. This could be used to
exhaust worker resources in the server, similar to the well
known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection
are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through
2.4.57.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Prof. Sven Dietrich (City University of New York)
*) SECURITY: CVE-2023-31122: mod_macro buffer over-read
(cve.mitre.org)
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
Server.This issue affects Apache HTTP Server: through 2.4.57.
Credits: David Shoon (github/davidshoon)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
v4.19.1. => https://www.samba.org/samba/history/samba-4.19.1.html
"
==============================
Release Notes for Samba 4.19.1
October 10, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
existing unix domain sockets on the file system.
https://www.samba.org/samba/security/CVE-2023-3961.html
o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
OVERWRITE disposition when using the acl_xattr Samba VFS
module with the smb.conf setting
"acl_xattr:ignore system acls = yes"
https://www.samba.org/samba/security/CVE-2023-4091.html
o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
attributes, including secrets and passwords. Additionally,
the access check fails open on error conditions.
https://www.samba.org/samba/security/CVE-2023-4154.html
o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
server block for a user-defined amount of time, denying
service.
https://www.samba.org/samba/security/CVE-2023-42669.html
o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
listeners, disrupting service on the AD DC.
https://www.samba.org/samba/security/CVE-2023-42670.html"
v4.19.2 => https://www.samba.org/samba/history/samba-4.19.2.html
"Changes since 4.19.1
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE.
* BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
call.
o Ralph Boehme <slow@samba.org>
* BUG 15463: macOS mdfind returns only 50 results.
o Volker Lendecke <vl@samba.org>
* BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
previous cache entry value.
o Stefan Metzmacher <metze@samba.org>
* BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
Heimdal KDC in Samba 4.19
* BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
in use."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This error means that a section in extrahd.cgi about the mount path being incorrect
does not get shown for users with english language selected.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: bbitsch@ipfire.org
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- A script was added to the update.sh script to add pass/no pass to the ovpnconfig entries
but I forgot that this was also needed in the backup.pl file to add those statuses into
any ovpnconfig file restored from a backup before the pass/no pass entries were added.
- This patch corrects that oversight.
- Confirmed by testing on my vm. Before the script added to backup.pl a restore of older
ovpnconfig ended up not showing any icons or status elements. With the script in
backup.pl confirmed that the restored ovpnconfig showed up in the WUI page correctly
with the right icons and with the status elements correctly displayed.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
dnsdist build on my builder fine but it fails on the buildserver
via qemu-user.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changes in version 0.4.8.7 - 2023-09-25
This version fixes a single major bug in the Conflux subsystem on the client
side. See below for more information. The upcoming Tor Browser 13 stable will
pick this up.
o Major bugfixes (conflux):
- Fix an issue that prevented us from pre-building more conflux sets
after existing sets had been used. Fixes bug 40862; bugfix
on 0.4.8.1-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 25, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/09/25.
Changes in version 0.4.8.6 - 2023-09-18
This version contains an important fix for onion service regarding congestion
control and its reliability. Apart from that, uneeded BUG warnings have been
suppressed especially about a compression bomb seen on relays. We strongly
recommend, in particular onion service operators, to upgrade as soon as
possible to this latest stable.
o Major bugfixes (onion service):
- Fix a reliability issue where services were expiring their
introduction points every consensus update. This caused
connectivity issues for clients caching the old descriptor and
intro points. Bug reported and fixed by gitlab user
@hyunsoo.kim676. Fixes bug 40858; bugfix on 0.4.7.5-alpha.
o Minor features (debugging, compression):
- Log the input and output buffer sizes when we detect a potential
compression bomb. Diagnostic for ticket 40739.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 18, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/09/18.
o Minor bugfix (defensive programming):
- Disable multiple BUG warnings of a missing relay identity key when
starting an instance of Tor compiled without relay support. Fixes
bug 40848; bugfix on 0.4.3.1-alpha.
o Minor bugfixes (bridge authority):
- When reporting a pseudo-networkstatus as a bridge authority, or
answering "ns/purpose/*" controller requests, include accurate
published-on dates from our list of router descriptors. Fixes bug
40855; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (compression, zstd):
- Use less frightening language and lower the log-level of our run-
time ABI compatibility check message in our Zstd compression
subsystem. Fixes bug 40815; bugfix on 0.4.3.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.12 to 3.2.14
- Update of rootfile not required
- This version update includes the patches previously used to add the dummies for tags
and to update to udev version 251 which is bugfix #253
- Changelog
3.2.14
Clear sysattr cache if a null pointer is passed by @NaofumiHonda in #255
Add /usr/local/lib/udev/rules.d by @bbonev in #260
Fix := not preventing further assignments to RUN by @bbonev in #257
Let libudev find hwdb.bin under UDEV_HWDB_BIN by
@vivien-consider-dropping-github in #264
Add a generic --output argument to udevadm hwdb by
@vivien-consider-dropping-github in #263
Dynamically get the udevadm hwdb files with a path variable by
@vivien-consider-dropping-github in #262
More wording fixes for the manual page for udev by
@vivien-consider-dropping-github in #265
Add missing API from 247 by @bbonev in #253
Ensure that standard file descriptors are open by @bbonev in #266
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.00 to 3.08
- Update of rootfile
- All the other patches and sed modifications are now built mintyo the source tarball,
except for the mountpoint patch which is stilol needed
- Changelog
3.08
This release focuses on three changes which are basically imports of patches from Gentoo. Special thanks to floppym for supplying these.
Applied a patch from floppm which adds kexec option to the halt command. This can be used as "halt -k".
floppym provided patch which causes the halt command to call "shutdown -h -H" instead of "shutdown -h" when halt is invoked without parameters. This forces the shutdown command to set the INIT_HALT variable and assume, unless other conditions apply, that the "halt" call really wants to halt the machine and INIT_HALT should be set. In other words we assume halt wants to halt unless told otherwise.
Addresses downstream Gentoo bug ID 911257.
Updated halt documentation and help output to display parameters in alphabetical order.
3.07
The 3.07 release of SysV init mostly introduces fixes and improvements for the
killall5 and pidof programs. (These are actually the same program, but are
invoked with two different names, which result in different behaviour. The main
highlights in this release are:
Fixed killall5 so that processes in the omit list are not sent any
signals, including SIGSTOP.
Fixed usage message for killall5 to be more accurate.
pidof was not returning PIDs of programs which were launched using a
symbolic link. This has been fixed so programs run from a symbolic link
show up in process lists.
3.06
Mark Hindley fixed typo in es.po
Mark Hindley cleaned up translation code in src/Makefile.
Drop sulogin from Debian build. Removed libcrypt-dev dependency.
Fixed pt translation pages which were failing due to mis-matched open/close
tags.
Makefile now respects ROOT prefix when setting up pidof-to-killall5 symbolic
link.
Removed redundant translation files from man directory.
Makefile now respects DESTDIR. User can specify either ROOT= or DESTDIR= to
set install prefix.
3.05
This release (3.05) focuses on two things:
Updating the translation framework.
Fixing compiling issues on various systems.
The second point, compiling, encompasses a few minor changes to get SysV init to
build properly on GNU Hurd, systems without certain GNU assumptions, and systems
running the latest glibc library (2.36 at time of writing).
3.04
This release contains one minor fix which allows the bootlogd code to properly
compile on Debian's GNU Hurd branch.
3.03
This release includes two minor changes. One is fixing a typo in the init manual
page (init.8). this fix was offered by Mark hindley.
Mark, and a few other people, also pointed out that a fix in 3.02 for bootlogd
introduced reliance on a defined PATH_MAX constant. This is used elsewhere in
the code, but is not explicitly defined in bootlogd, which caused bootlogd to
not build properly on GNU Hurd and musl C systems. This has been fixed.
3.02
Added q and Q flags to synopsis in shutdown manual page.
Applied fixes for markup and spacing in manual pages.
Patch provided by Mario Blattermann.
Added translation framework (po4a) from Mario Blttermann.
Added Makefile for man/ directory. Will handle translations
and substitutions.
Applied new translations for multiple languages from Mario Blattermann.
Added ability to use "@" symbol in command named in the inittab file. This
treats commands as literal and does not launch a shell to interpret them.
Updated inittab manual page to include overview of symbols which trigger
a shell interpretor and how to disable them using the @ symbol.
Introduced change which adds error checking in bootlogd when performing
chdir(). - Provided by Alexander Vickberg
Add check for console using TIOCGDEV on Linux systems in bootlogd to
make finding console more robust. - Provided by Alexander Vickberg
3.01
Default to showing processes in the uninterruptable state (D).
The -z flag no longer affects whether processes in D state are shown.
The -z flag does still toggle whether zombie (Z) processes are shown.
Removed unnecessary check which is always true from init tab parsing.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog according to https://cisofy.com/changelog/lynis/#309:
- DBS-1820 - Added newer style format for Mongo authorization setting
- FILE-6410 - Locations added for plocate
- SSH-7408 - Only test Compression if sshd version < 7.4
- Improved fetching timestamp
- Minor changes such as typos
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this fail on riscv64 because it is compiled with lvm and
we not need to strip not shipped buildtime deps.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This was updated in 180, but we want to make sure that even testing
users get the latest updates.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit adds support for using LVM and mdadm based RAID devices
for the CGI page.
In case one or more drives/partitions are used by such a "grouped"
volume they still will displayed on the page, but can not be
configured/used. Instead the "master" volume of which the
drive/partition is part of is shown in the "mountpoint" input box.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit adds support for using LVM and mdadm based RAID devices
for the CGI page.
In case one or more drives/partitions are used by such a "grouped"
volume they still will displayed on the page, but can not be
configured/used. Instead the "master" volume of which the
drive/partition is part of is shown in the "mountpoint" input box.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Looking through some of the changelog and some mail list communications it looks like
qemu decided they did noty want to maintain their own bundled version of libslirp when
the majority of OS's had their own version now in place. Ubuntu 18.04 did not have
libslirp but qemu stopped supporting that version from qemu-7.1
- So it looks like all OS's have a standard libslirp available now and qemu have taken
the decision to no longer have their own version but to use the system version. That
was always possible to do if use of the system version was explicitly defined but
the default was to use the bundled version.
- No evidence that libslirp is deprecated.
- The last version of libslirp was released a year ago but it looks like every month or
so there are a couple of commits merged. The last was a month ago.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.0.3 to 8.1.1
- In CU179 the update of qemu caused at least one user to have a problem starting his
qemu system as the qemu bundled slirp library used for the net user backend was removed
in version 7.2. Unfortunately no user tested qemu in the CU179 Testing phase, or if they
did they are not using the net user backend.
- This patch adds the --enable-slirp option to configure and installs libslirp in a
separate patch.
- I can't test if this now works as I don't use qemu anywhere.
- Changelog is too large to include here.
8.1
https://wiki.qemu.org/ChangeLog/8.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- When the url filter update enable checkbox is unchecked then this patch calls
urlfilterctrl with the remove option added in the otrher patch of this series.
- Tested on my vm testbed that this change does remove the urlfilter symlink from the
fcron directories when the update is disabled.
Fixes: Bug#10649
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Currently if the urlfilter update is enabled then autoupdate.pl is renamed urlfilter and
added into either the daily, weekly or monthly fcron directoiries. If the update is
disabled then the urlfilter update script stays in the directory and is not removed.
- This patch adds in the option of remove to the urlfilterctrl program. The first part
of the urlfilterctrl.c code removes any existing symlinks so all that needs to be done
for the remove option is to not add any symlinks to the fcron directories.
- Confirmed in a vm testbed that the current approach leaves the symlink in place. Installed
the changes from this and the previous patch and confirmed that when the url update is
disabled the symlink is removed.
Fixes: Bug#10649
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The code checks first if ovpnconfig exists and is not empty.
- Then it makes all net2net connections no-pass since they do not use encryption
- Then it cycles through all .p12 files and checks with openssl if a password exists or not.
If a password is present then pass is added to index 41 and if not then no-pass is added
to index 41
- I had to add a blank line to the top of the ovpnconfig file otherwise the awk code
treated the first line as a blank line and missed it out of the update. This was the
problem that was discovered during the previous Testing Release evaluation.
Tested out this time with several existing entries both encrypted and insecure and with
additional entries of both added in afterwards and all connection entries were
maintained - road warrior and net2net.
- This code should be left in update.sh for future Core Updates in case people don't update
with Core Update 175 but leave it till later. This code works fine on code that already
has pass or no-pass entered into index 41 in ovpnconfig
Fixes: Bug#11048
Suggested-by: Erik Kapfer <ummeegge@ipfire.org>
Suggested-by: Adolf Belka <adolf.belka@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This uses a padlock icon from https://commons.wikimedia.org/wiki/File:Encrypted.png
- The license for this image is the following:-
This library is free software; you can redistribute it and/or modify it under the terms
of the GNU Lesser General Public License as published by the Free Software Foundation;
either version 2.1 of the License, or (at your option) any later version. This library
is distributed in the hope that it will be useful, but without any warranty; without
even the implied warranty of merchantability or fitness for a particular purpose. See
version 2.1 and version 3 of the GNU Lesser General Public License for more details.
- Based on the above license I believe it can be used by IPFire covered by the GNU General
Public License that is used for it.
- The icon image was made by taking the existing openvpn.png file and superimposing the
padlock icon on top of it as a 12x12 pixel format and naming it openvpn_encrypted.png
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- At long last I have re-visited the patch submission for bug #11048 and fixed the issues
that caused the problems last time I evaluated it in Testing.
- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
connection is a host and if the first password entry is a null. Then it adds no-pass
to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this
stage the password entry is back to null because the password value is only kept until
the connection has been saved. Therefore doing an edit results in the password value
being taken as null even for connections with a password.
- This fix enters no-pass if the connection type is host and the password is null, pass if
the connection type is host and the password has characters. If the connection type is
net then no-pass is used as net2net connections dop not have encrypted certificates.
- The code has been changed to show a different icon for unencrypted and encrypted
certificates.
- Separate patches are provided for the language file change, the provision of a new icon
and the code for the update.sh script for the Core Update to update all existing
connections, if any exist, to have either pass or no-pass in index 41.
- This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
- Patch set, including the code for the Core Update 180 update.sh script has been tested
on a vm testbed
Fixes: Bug#11048
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Suggested-by: Adolf Belka <adolf.belka@ipfire.org>
Suggested-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
