There used to be a time where the authenticator crashed when the OpenVPN
daemon went away which is causing issues.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
"ClamAV 1.0.1 is a critical patch release with the following fixes:
CVE-2023-20032: Fixed a possible remote code execution
vulnerability in the HFS+ file parser. The issue affects versions
1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
Thank you to Simon Scannell for reporting this issue.
CVE-2023-20052: Fixed a possible remote information leak
vulnerability in the DMG file parser. The issue affects versions
1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
Thank you to Simon Scannell for reporting this issue.
Fix an allmatch detection issue with the preclass bytecode hook."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- libtirpc is required for lsof to work from CU172 onwards. rpc.h is no longer available
from glibc. This would normally cause the lsof build to fail but libtirpc as an addon
is built before lsof and so is present in the build and lsof is linked to it.
When running lsof it fails as the linked libtirpc library is not present unless it has
been installed as an addon.
- This patch converts the libtirpc lfs from an addon to a core program and moves the
rootfile from the packages directory to the common directory.
- Tested out on my vm testbed. With CU172 lsof fails to run due to the missing libtirpc
With the build based on this patch installed lsof works normally again.
- Disabled the static library build in the configure options and updated the rootfile
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Fixes: Bug#13015
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Changes in version 0.4.7.13 - 2023-01-12
This version contains three major bugfixes, two for relays and one for
client being a security fix, TROVE-2022-002. We have added, for Linux, the
support for IP_BIND_ADDRESS_NO_PORT for relays using OutboundBindAddress.
We strongly recommend to upgrade to this version considering the important
congestion control fix detailed below.
o Major bugfixes (congestion control):
- Avoid incrementing the congestion window when the window is not
fully in use. Thia prevents overshoot in cases where long periods
of low activity would allow our congestion window to grow, and
then get followed by a burst, which would cause queue overload.
Also improve the increment checks for RFC3742. Fixes bug 40732;
bugfix on 0.4.7.5-alpha.
o Major bugfixes (relay):
- When opening a channel because of a circuit request that did not
include an Ed25519 identity, record the Ed25519 identity that we
actually received, so that we can use the channel for other
circuit requests that _do_ list an Ed25519 identity. (Previously
we had code to record this identity, but a logic bug caused it to
be disabled.) Fixes bug 40563; bugfix on 0.3.0.1-alpha. Patch
from "cypherpunks".
o Major bugfixes (TROVE-2022-002, client):
- The SafeSocks option had its logic inverted for SOCKS4 and
SOCKS4a. It would let the unsafe SOCKS4 pass but not the safe
SOCKS4a one. This is TROVE-2022-002 which was reported on
Hackerone by "cojabo". Fixes bug 40730; bugfix on 0.3.5.1-alpha.
o Minor feature (authority):
- Reject 0.4.6.x series at the authority level. Closes ticket 40664.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on January 12, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/01/12.
o Minor features (relays):
- Set the Linux-specific IP_BIND_ADDRESS_NO_PORT option on outgoing
sockets, allowing relays using OutboundBindAddress to make more
outgoing connections than ephemeral ports, as long as they are to
separate destinations. Related to issue 40597; patch by Alex
Xu (Hello71).
o Minor bugfixes (relay, metrics):
- Fix typo in a congestion control label on the MetricsPort. Fixes
bug 40727; bugfix on 0.4.7.12.
o Minor bugfixes (sandbox, authority):
- With the sandbox enabled, allow to write "my-consensus-
{ns|microdesc}" and to rename them as well. Fixes bug 40729;
bugfix on 0.3.5.1-alpha.
o Code simplifications and refactoring:
- Rely on actual error returned by the kernel when choosing what
resource exhaustion to log. Fixes issue 40613; Fix
on tor-0.4.6.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 0.40.0 to 0.42.2
- Update of rootfile
- Build converted to meson
- Changelog is empty in the source tarball as is the NEWS file. There is no change log
info on the webpage. The only source of change info are the commits from the git repo
https://cgit.freedesktop.org/pixman/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.16.0 to 1.17.6
- Update of rootfile
- Next version will only build with meson and as there were some bugs with the autoconf
tools build which required a hack to overcome, this version was changed to run with
meson. beos and os2 backends are no longer supported and windows only builds if the
platform being used for the build is windows based. Therefore those options are no
longer needed. meson uses shared libraries only by default.
- The cairo-1.16.0-binutils-2.34 patch is no longer needed as the changes have been
included in the source tarball.
- tarball had to be changed to .bz2 as xz is no longer provided.
- Changelog
Release 1.17.6 (2022-03-18 Emmanuele Bassi <ebassi@gnome.org>)
I spy with my little eye… a Cairo snapshot!
First of all, many, many thanks to everyone who contributed to Cairo
during this development cycle. A special thank you goes to:
- Adrian Johnson
- Uli Schlachter
for their tireless efforts in ensuring that the lights are still on
in the Cairo project.
This snapshot sees the removal of the following backends and platform
support:
- Qt4
- BeOS
- OS/2
- DirectFB
- DRM
- Cogl
- OpenVG
Thanks to all past contributors for their work on them. If you were using
any of these backends then you will need to stick to Cairo 1.16.
To offset the removal of the backends above, Adrian Johnson landed the
DWrite font rendering backend on Windows.
There have been multiple improvements in the Quartz backend, courtesy of
John Ralls.
Tim-Philipp Müller has kept the Meson build in top shape.
This snapshot is going to be the **last** release of Cairo with the
Autotools build system. The Meson build has seen many improvements and
it is considerably easier to maintain and faster to build.
Release 1.17.4 (2020-11-27 Bryce Harrington <bryce@bryceharrington.org>)
Thank you to the many people who have contributed the large number of
bug fixes and refinements since 1.17.2.
A particularly noteworthy improvement in this release is the addition of
the meson build system as an alternative to autotools. Autotools is
still used for producing the releases, so will be the default in the
tarball and presumably will still be preferred by distro packagers of
Cairo. It should be possible to build the release tarball using meson,
but as this is new functionality consider it still a work in progress.
The meson configuration has striven to track the autotools
implementation but be aware there may still be some differences between
the two.
Continuous Integration configurations have been added that enable
testing on a variety of platforms including Fedora, Windows MSVC, etc.
This work has helped in identifying updates and fixes including
adjusting to changes in API calls in dependencies like rsvg and
fontconfig, and to fix platform-specific build issues.
The cogl Cairo backend underwent significant development this cycle.
Cogl provides GPU accelerated drawing support. The development work
includes implementation of core functionality, performance
optimizations, and stabilization.
Subpixel positioning support allows improved glyph outlines with the
Freetype font backend.
For a complete log of changes, please see
https://cairographics.org/releases/ChangeLog.1.17.4
[On a personal note, this will be my last release for Cairo. My Cairo
time availability has been non-existent (particularly this crazy past
year). The release process is well documented and hopefully will help
whomever picks up the baton from here.]
Release 1.17.2 (2019-01-31 Bryce Harrington <bryce@bryceharrington.org>)
This snapshot provides the new support for writing floating point
formats as 16 bpc PNGs, with support for RGBA128F and RGB96F formats.
This new feature increases Cairo's pixman version requirement to 0.36.0.
Beyond this are a range of bugfixes and some work on establishing CI for
Cairo.
For a complete log of changes, please see
https://cairographics.org/releases/ChangeLog.1.17.2
API Changes
None
Dependency Changes
pixman 0.36.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 5.4.0 to 5.4.1
- Update of rootfile
- Changelog
5.4.1 (2023-01-11)
* liblzma:
- Fixed the return value of lzma_microlzma_encoder() if the
LZMA options lc/lp/pb are invalid. Invalid lc/lp/pb options
made the function return LZMA_STREAM_END without encoding
anything instead of returning LZMA_OPTIONS_ERROR.
- Windows / Visual Studio: Workaround a possible compiler bug
when targeting 32-bit x86 and compiling the CLMUL version of
the CRC64 code. The CLMUL code isn't enabled by the Windows
project files but it is in the CMake-based builds.
* Build systems:
- Windows-specific CMake changes:
* Don't try to enable CLMUL CRC64 code if _mm_set_epi64x()
isn't available. This fixes CMake-based build with Visual
Studio 2013.
* Created a workaround for a build failure with windres
from GNU binutils. It is used only when the C compiler
is GCC (not Clang). The workaround is incompatible
with llvm-windres, resulting in "XZx20Utils" instead
of "XZ Utils" in the resource file, but without the
workaround llvm-windres works correctly. See the
comment in CMakeLists.txt for details.
* Included the resource files in the xz and xzdec build
rules. Building the command line tools is still
experimental but possible with MinGW-w64.
- Visual Studio: Added stream_decoder_mt.c to the project
files. Now the threaded decompressor lzma_stream_decoder_mt()
gets built. CMake-based build wasn't affected.
- Updated windows/INSTALL-MSVC.txt to mention that CMake-based
build is now the preferred method with Visual Studio. The
project files will probably be removed after 5.4.x releases.
- Changes to #defines in config.h:
* HAVE_DECL_CLOCK_MONOTONIC was replaced by
HAVE_CLOCK_MONOTONIC. The old macro was always defined
in configure-generated config.h to either 0 or 1. The
new macro is defined (to 1) only if the declaration of
CLOCK_MONOTONIC is available. This matches the way most
other config.h macros work and makes things simpler with
other build systems.
* HAVE_DECL_PROGRAM_INVOCATION_NAME was replaced by
HAVE_PROGRAM_INVOCATION_NAME for the same reason.
* Tests:
- Fixed test script compatibility with ancient /bin/sh
versions. Now the five test_compress_* tests should
no longer fail on Solaris 10.
- Added and refactored a few tests.
* Translations:
- Updated the Catalan and Esperanto translations.
- Added Korean and Ukrainian man page translations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 6.1.0 to 6.1.1
- Update of rootfile not required
- Changelog
There is no changelog in the source tarball or in the kernel site where the source
tarballs are available from. xfs.org, which normally provides access to the git
repository, fails to connect. xfs.wiki.kernel.org has no changelog info in it.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.9.3 to 1.9.4
- Update of rootfile
- Changelog
v1.9.4
perf : faster decoding speed (~+20%) on aarch64 platforms
perf : faster decoding speed (~+70%) for -BD4 setting in CLI
api : new function `LZ4_decompress_safe_partial_usingDict()` by @yawqi
api : lz4frame: ability to provide custom allocators at state creation
api : can skip checksum validation for improved decoding speed
api : new experimental unit `lz4file` for file i/o API, by @anjiahao1
api : new experimental function `LZ4F_uncompressedUpdate()`, by @alexmohr
cli : `--list` works on `stdin` input, by @Low-power
cli : `--no-crc` does not produce (compression) nor check (decompression) checksums
cli : fix: `--test` and `--list` produce an error code when parsing invalid input
cli : fix: support skippable frames when passed via `stdin`, reported by @davidmankin
build: fix: Makefile respects CFLAGS directives passed via environment variable
build: `LZ4_FREESTANDING`, new build macro for freestanding environments, by @t-mat
build: `make` and `make test` are compatible with `-j` parallel run
build: AS/400 compatibility, by @jonrumsey
build: Solaris 10 compatibility, by @pekdon
build: MSVC 2022 support, by @t-mat
build: improved meson script, by @eli-schwartz
doc : Updated LZ4 block format, provide an "implementation notes" section
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://lists.gnu.org/archive/html/info-gnu/2023-01/msg00007.html
"
...
The specific issue that was addressed in this release:
https://savannah.gnu.org/bugs/?63616 (pasting succeeded despite --view)
Changes between v7.1 and v7.2:
------------------------------
Benno Schulenberg (12):
bindings: let ^/ toggle between the 'search' and 'gotoline' menus
bump version numbers and add a news item for the 7.2 release
copyright: update the years for the FSF
docs: give ^K and ^U some useful function in the alternative bindings
docs: put the binding of ^Y after its unbinding, for it to be effective
gnulib: update to its current upstream state
input: disallow bracketed pastes when in view mode
po: update translations and regenerate POT file and PO files
syntax: html: colorize specially the other two emphasizing tags too
tweaks: avoid warnings when compiling with -Wpedantic
tweaks: rewrap an old news item
tweaks: separate a special thanks from the preceding ones"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
For details for 9.16.36 and 9.16.37 see:
https://downloads.isc.org/isc/bind9/9.16.37/doc/arm/html/notes.html#notes-for-bind-9-16-37
"Notes for BIND 9.16.37
Security Fixes
An UPDATE message flood could cause named to exhaust all available
memory. This flaw was addressed by adding a new update-quota option
that controls the maximum number of outstanding DNS UPDATE messages
that named can hold in a queue at any given time (default: 100).
(CVE-2022-3094)
ISC would like to thank Rob Schulhof from Infoblox for bringing this
vulnerability to our attention. [GL #3523]
named could crash with an assertion failure when an RRSIG query was
received and stale-answer-client-timeout was set to a non-zero value.
This has been fixed. (CVE-2022-3736)
ISC would like to thank Borja Marcos from Sarenet (with assistance by
Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
our attention. [GL #3622]
named running as a resolver with the stale-answer-client-timeout option
set to any value greater than 0 could crash with an assertion failure,
when the recursive-clients soft quota was reached. This has been fixed.
(CVE-2022-3924)
ISC would like to thank Maksym Odinintsev from AWS for bringing this
vulnerability to our attention. [GL #3619]
New Features
The new update-quota option can be used to control the number of
simultaneous DNS UPDATE messages that can be processed to update an
authoritative zone on a primary server, or forwarded to the primary
server by a secondary server. The default is 100. A new statistics
counter has also been added to record events when this quota is
exceeded, and the version numbers for the XML and JSON statistics
schemas have been updated. [GL #3523]
Feature Changes
The Differentiated Services Code Point (DSCP) feature in BIND has been
deprecated. Configuring DSCP values in named.conf now causes a warning
to be logged. Note that this feature has only been partly operational
since the new Network Manager was introduced in BIND 9.16.0. [GL #3773]
The catalog zone implementation has been optimized to work with
hundreds of thousands of member zones. [GL #3744]
Bug Fixes
In certain query resolution scenarios (e.g. when following CNAME
records), named configured to answer from stale cache could return a
SERVFAIL response despite a usable, non-stale answer being present in
the cache. This has been fixed. [GL #3678]
...
Notes for BIND 9.16.36
Feature Changes
The auto-dnssec option has been deprecated and will be removed in a
future BIND 9.19.x release. Please migrate to dnssec-policy. [GL #3667]
Bug Fixes
When a catalog zone was removed from the configuration, in some cases a
dangling pointer could cause the named process to crash. This has been
fixed. [GL #3683]
When a zone was deleted from a server, a key management object related
to that zone was inadvertently kept in memory and only released upon
shutdown. This could lead to constantly increasing memory use on
servers with a high rate of changes affecting the set of zones being
served. This has been fixed. [GL #3727]
In certain cases, named waited for the resolution of outstanding
recursive queries to finish before shutting down. This was unintended
and has been fixed. [GL #3183]
The zone <name>/<class>: final reference detached log message was moved
from the INFO log level to the DEBUG(1) log level to prevent the
named-checkzone tool from superfluously logging this message in
non-debug mode. [GL #3707]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
