This file points to /usr/bin/setarch, which we do not ship on any
architecture. As it serves no obvious purpose on IPFire installations,
we may as well not ship it entirely.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Full changelog as per https://savannah.gnu.org/forum/forum.php?forum_id=10107:
New in this release:
* Hardstatus option for used encoding (escape string '%e')
* OpenBSD uses native openpty() from its utils.h
* Fixes:
- fix combining char handling that could lead to a segfault
- CVE-2021-26937: possible denial of service via a crafted UTF-8 character sequence (bug #60030)
- make screen exit code be 0 when checking --help
- session names limit is 80 symbols (bug #61534)
- option -X ignores specified user in multiuser env (bug #37437)
- a lot of reformations/fixes/cleanups (man page and source code)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 4.2.0 to 4.4.1
- Update of rootfile
- Changelog
Overview of changes leading to 4.4.1
- Fix test failure with some compilers.
- Fix Telugu and Kannada kerning regression.
Overview of changes leading to 4.4.0
- Caching of variable fonts shaping, in particular when using HarfBuzz’s own
font loading functions (ot). Bringing performance of variable shaping in par
with non-variable fonts shaping. (Behdad Esfahbod)
- Caching of format 2 “Contextual Substitution” and “Chained Contexts
Substitution” lookups. Resulting in up to 20% speedup of lookup-heavy fonts
like Gulzar or Noto Nastaliq Urdu. (Behdad Esfahbod)
- Improved ANSI output from hb-view. (Behdad Esfahbod)
- Support for shaping legacy, pre-OpenType Windows 3.1-era, Arabic fonts that
relied on a fixed PUA encoding. (Khaled Hosny, Behdad Esfahbod)
- Sinhala script is now shaped by the USE shaper instead of “indic” one.
(Behdad Esfahbod, David Corbett)
- Thai shaper improvements. (David Corbett)
- hb-ot-name API supports approximate BCP-47 language matching, for example
asking for “en_US” in a font that has only “en” names will return them.
(Behdad Esfahbod)
- Optimized TrueType glyph shape loading. (Behdad Esfahbod)
- Fix subsetting of HarfBuzz faces created via hb_face_create_for_tables().
(Garret Rieger)
- Add 32 bit var store support to the subsetter. (Garret Rieger)
- New API
+HB_BUFFER_FLAG_DEFINED
+HB_BUFFER_SERIALIZE_FLAG_DEFINED
+hb_font_changed()
+hb_font_get_serial()
+hb_ft_hb_font_changed()
+hb_set_hash()
+hb_map_copy()
+hb_map_hash()
Overview of changes leading to 4.3.0
- Major speed up in loading and subsetting fonts, especially in
handling CFF table. Subsetting some fonts is now 3 times faster.
(Behdad Esfahbod, Garret Rieger)
- Speed up blending CFF2 table. (Behdad Esfahbod)
- Speed up hb_ot_tags_from_language(). (Behdad Esfahbod, David Corbett)
- Fix USE classification of U+10A38 to fix multiple marks on single Kharoshthi
base. (David Corbett)
- Fix parsing of empty CFF Index. (Behdad Esfahbod)
- Fix subsetting CPAL table with partial palette overlaps. (Garret Rieger)
- New API
+hb_map_is_equal() (Behdad Esfahbod)
Overview of changes leading to 4.2.1
- Make sure hb_blob_create_from_file_or_fail() always returns nullptr in case
of failure and not empty blob sometimes. (Khaled Hosny)
- Add --passthrough-tables option to hb-subset. (Cosimo Lupo)
- Reinstate a pause after basic features in Khmer shaper, fixing a regression
introduced in previous release. (Behdad Esfahbod)
- Better handling of Regional_Indicator when shaped with RTL-native scripts,
reverting earlier fix that caused regressions in AAT shaping. (Behdad Esfahbod)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3.6.16 to 3.7.6
- Update of rootfile
- find-dependencies run on sobump libs. No dependencies flagged for the old or new libs
- Changelog
* Version 3.7.6 (released 2022-05-27)
** libgnutls: Fixed invalid write when gnutls_realloc_zero()
is called with new_size < old_size. This bug caused heap
corruption when gnutls_realloc_zero() has been set as gmp
reallocfunc (!1592, #1367, #1368, #1369).
** API and ABI modifications:
No changes since last version.
* Version 3.7.5 (released 2022-05-15)
** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority
modifier have been added to disable session ticket usage in TLS 1.2 because
it does not provide forward secrecy (#477). On the other hand, since session
tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now
only disables session tickets in TLS 1.2. Future backward incompatibility:
in the next major release of GnuTLS, we plan to remove those flag and
modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2.
** gnutls-cli, gnutls-serv: Channel binding for printing information
has been changed from tls-unique to tls-exporter as tls-unique is
not supported in TLS 1.3.
** libgnutls: Certificate sanity checks has been enhanced to make
gnutls more RFC 5280 compliant (!1583).
Following changes were included:
- critical extensions are parsed when loading x509
certificate to prohibit any random octet strings.
Requires strict-x509 configure option to be enabled
- garbage bits in Key Usage extension are prohibited
- empty DirectoryStrings in Distinguished name structures
of Issuer and Subject name are prohibited
** libgnutls: Removed 3DES from FIPS approved algorithms (#1353).
According to the section 2 of SP800-131A Rev.2, 3DES algorithm
will be disallowed for encryption after December 31, 2023:
https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
** libgnutls: Optimized support for AES-SIV-CMAC algorithms (#1217, #1312).
The existing AEAD API that works in a scatter-gather fashion
(gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC.
For further optimization, new function (gnutls_aead_cipher_set_key) has been
added to set key on the existing AEAD handle without re-allocation.
** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
when used in TLS (#1311).
** The configure arguments for Brotli and Zstandard (zstd) support
have changed to reflect the previous help text: they are now
--with-brotli/--with-zstd respectively (#1342).
** Detecting the Zstandard (zstd) library in configure has been
fixed (#1343).
** API and ABI modifications:
GNUTLS_NO_TICKETS_TLS12: New flag
gnutls_aead_cipher_set_key: New function
* Version 3.7.4 (released 2022-03-17)
** libgnutls: Added support for certificate compression as defined in RFC8879
(#1301). New API functions (gnutls_compress_certificate_get_selected_method
and gnutls_compress_certificate_set_methods) allow client and server to set
their preferences.
** certtool: Added option --compress-cert that allows user to specify
compression methods for certificate compression.
** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure
option to enforce stricter certificate sanity checks that are compliant with
RFC5280.
** libgnutls: Removed IA5String type from DirectoryString within issuer
and subject name to make DirectoryString RFC5280 compliant.
** libgnutls: Added function (gnutls_record_send_file) to send file content from
open file descriptor (!1486). The implementation is optimized if KTLS (kernel
TLS) is enabled.
** libgnutls: Added function (gnutls_ciphersuite_get) to retrieve the name of
current ciphersuite from TLS session (#1291).
** libgnutls: The run-time dependency on tpm2-tss is now re-implemented using
dlopen, so GnuTLS does not indirectly link to other crypto libraries until
TPM2 functionality is utilized (!1544).
** API and ABI modifications:
GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
gnutls_compress_certificate_get_selected_method: Added
gnutls_compress_certificate_set_methods: Added
gnutls_ciphersuite_get: New function
gnutls_record_send_file: New function
libgnutlsxx: Soname bumped due to ABI breakage introduced in 3.7.1
* Version 3.7.3 (released 2022-01-17)
** libgnutls: The allowlisting configuration mode has been added to the system-wide
settings. In this mode, all the algorithms are initially marked as insecure
or disabled, while the applications can re-enable them either through the
[overrides] section of the configuration file or the new API (#1172).
** The build infrastructure no longer depends on GNU AutoGen for generating
command-line option handling, template file parsing in certtool, and
documentation generation (#773, #774). This change also removes run-time or
bundled dependency on the libopts library, and requires Python 3.6 or later
to regenerate the distribution tarball.
Note that this brings in known backward incompatibility in command-line
tools, such as long options are now case sensitive, while previously they
were treated in a case insensitive manner: for example --RSA is no longer a
valid option of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
used as a gnutls_privkey_t (#594). The code was originally written for the
OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
** libgnutls: The library now transparently enables Linux KTLS
(kernel TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls back
to the user space implementation.
** certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
** certtool: The certtool command can now generate, manipulate, and evaluate
x25519 and x448 public keys, private keys, and certificates.
** libgnutls: Disabling a hashing algorithm through "insecure-hash"
configuration directive now also disables TLS ciphersuites that use it as a
PRF algorithm.
** libgnutls: PKCS#12 files are now created with modern algorithms by default
(!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and
HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with
PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
default PBKDF2 iteration count has been increased to 600000.
** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
conform with the latest TC-26 requirements (#1225).
** libgnutls: The library now provides a means to report the status of approved
cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this
complements the existing mechanism to prohibit the use of unapproved
algorithms by making the library unusable state.
** gnutls-cli: The gnutls-cli command now provides a --list-config option to
print the library configuration (!1508).
** libgnutls: Fixed possible race condition in
gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low]
** API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function
* Version 3.7.2 (released 2021-05-29)
** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
to disable TLS 1.3 middlebox compatibility mode
** libgnutls: The Linux kernel AF_ALG based acceleration has been added.
This can be enabled with --enable-afalg configure option, when libkcapi
package is installed (#308).
** libgnutls: Fixed timing of early data exchange. Previously, the client was
sending early data after receiving Server Hello, which not only negates the
benefit of 0-RTT, but also works under certain assumptions hold (e.g., the
same ciphersuite is selected in initial and resumption handshake) (#1146).
** certtool: When signing a CSR, CRL distribution point (CDP) is no longer
copied from the signing CA by default (#1126).
** libgnutls: The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
GNUTLS_NO_IMPLICIT_INIT to reflect the purpose (#1178). The former is now
deprecated and will be removed in the future releases.
** certtool: When producing certificates and certificate requests, subject DN
components that are provided individually will now be ordered by
assumed scale (e.g. Country before State, Organization before
OrganizationalUnit). This change also affects the order in which
certtool prompts interactively. Please rely on the template
mechanism for automated use of certtool! (#1243)
** API and ABI modifications:
gnutls_early_cipher_get: Added
gnutls_early_prf_hash_get: Added
** guile: Writes to a session record port no longer throw an exception upon
GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.
* Version 3.7.1 (released 2021-03-10)
** libgnutls: Fixed potential use-after-free in sending "key_share"
and "pre_shared_key" extensions. When sending those extensions, the
client may dereference a pointer no longer valid after
realloc. This happens only when the client sends a large Client
Hello message, e.g., when HRR is sent in a resumed session
previously negotiated large FFDHE parameters, because the initial
allocation of the buffer is large enough without having to call
realloc (#1151). [GNUTLS-SA-2021-03-10, CVSS: low]
** libgnutls: Fixed a regression in handling duplicated certs in a
chain (#1131).
** libgnutls: Fixed sending of session ID in TLS 1.3 middlebox
compatibiltiy mode. In that mode the client shall always send a
non-zero session ID to make the handshake resemble the TLS 1.2
resumption; this was not true in the previous versions (#1074).
** libgnutls: W32 performance improvement with a new sendmsg()-like
transport implementation (!1377).
** libgnutls: Removed dependency on the external 'fipscheck' package,
when compiled with --enable-fips140-mode (#1101).
** libgnutls: Added padlock acceleration for AES-192-CBC (#1004).
** API and ABI modifications:
No changes since last version.
* Version 3.7.0 (released 2020-12-02)
** libgnutls: Depend on nettle 3.6 (!1322).
** libgnutls: Added a new API that provides a callback function to
retrieve missing certificates from incomplete certificate chains
(#202, #968, #1100).
** libgnutls: Added a new API that provides a callback function to
output the complete path to the trusted root during certificate
chain verification (#1012).
** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the
terminating null bytes, while the data field is null terminated.
The affected API functions are: gnutls_ocsp_req_get_extension,
gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
(#805).
** libgnutls: Added a new set of API to enable QUIC implementation (#826, #849,
#850).
** libgnutls: The crypto implementation override APIs deprecated in 3.6.9 are
now no-op (#790).
** libgnutls: Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161).
** libgnutls: Support for padlock has been fixed to make it work with Zhaoxin
CPU (#1079).
** libgnutls: The maximum PIN length for PKCS #11 has been increased from 31
bytes to 255 bytes (#932).
** API and ABI modifications:
gnutls_x509_trust_list_set_getissuer_function: Added
gnutls_x509_trust_list_get_ptr: Added
gnutls_x509_trust_list_set_ptr: Added
gnutls_session_set_verify_output_function: Added
gnutls_record_encryption_level_t: New enum
gnutls_handshake_read_func: New callback type
gnutls_handshake_set_read_function: New function
gnutls_handshake_write: New function
gnutls_handshake_secret_func: New callback type
gnutls_handshake_set_secret_function: New function
gnutls_alert_read_func: New callback type
gnutls_alert_set_read_function: New function
gnutls_crypto_register_cipher: Deprecated; no-op
gnutls_crypto_register_aead_cipher: Deprecated; no-op
gnutls_crypto_register_mac: Deprecated; no-op
gnutls_crypto_register_digest: Deprecated; no-op
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Since the kernel now always reports 256 bits of entropy to be available,
this CGI does not show any useful information anymore. To avoid
confusions, it will hereby be removed entirely.
Fixes: #12893
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This is no longer required because the kernel will now try to
generate some randomness in an easier way when needed.
This has been added in: b923dd3de0
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- lfs and rootfile created
- Patch created to remove requirement for winapi and related windows dependencies
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- lfs and rootfile created
- python3-cryptography build requires older version than was already installed.
Therefore named version 0.1.18 created, leaving original rust-paste in place
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- lfs and rootfile created
- python3-cryptography build requires older version than was already installed.
Therefore named version 0.3.6 created, leaving original rust-indoc in place
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- lfs and rootfile created
- Patch created to remove requirement for winapi and related windows dependencies
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.13.1 to 0.15.1
Required to be at same version as rust-pyo3
- Update of rootfile
- Changelog not available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.13.1 to 0.15.1
Required to be at same version as rust-pyo3
- Update of rootfile
- Changelog not available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.13.1 to 0.15.1
- Update of rootfile
- Changelog is too long to include here. For details see CHANGELOG.md file in source
tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.9.10 to 1.9.11p3
- Update of rootfile required
- Changelog
What's new in Sudo 1.9.11p3
* Fixed "connection reset" errors on AIX when running shell scripts
with the "intercept" or "log_subcmds" sudoers options enabled.
Bug #1034.
* Fixed very slow execution of shell scripts when the "intercept"
or "log_subcmds" sudoers options are set on systems that enable
Nagle's algorithm on the loopback device, such as AIX.
Bug #1034.
What's new in Sudo 1.9.11p2
* Fixed a compilation error on Linux/x86_64 with the x32 ABI.
* Fixed a regression introduced in 1.9.11p1 that caused a warning
when logging to sudo_logsrvd if the command returned no output.
What's new in Sudo 1.9.11p1
* Correctly handle EAGAIN in the I/O read/right events. This fixes
a hang seen on some systems when piping a large amount of data
through sudo, such as via rsync. Bug #963.
* Changes to avoid implementation or unspecified behavior when
bit shifting signed values in the protobuf library.
* Fixed a compilation error on Linux/aarch64.
* Fixed the configure check for seccomp(2) support on Linux.
* Corrected the EBNF specification for tags in the sudoers manual
page. GitHub issue #153.
What's new in Sudo 1.9.11
* Fixed a crash in the Python module with Python 3.9.10 on some
systems. Additionally, "make check" now passes for Python 3.9.10.
* Error messages sent via email now include more details, including
the file name and the line number and column of the error.
Multiple errors are sent in a single message. Previously, only
the first error was included.
* Fixed logging of parse errors in JSON format. Previously,
the JSON logger would not write entries unless the command and
runuser were set. These may not be known at the time a parse
error is encountered.
* Fixed a potential crash parsing sudoers lines larger than twice
the value of LINE_MAX on systems that lack the getdelim() function.
* The tests run by "make check" now unset the LANGUAGE environment
variable. Otherwise, localization strings will not match if
LANGUAGE is set to a non-English locale. Bug #1025.
* The "starttime" test now passed when run under Debian faketime.
Bug #1026.
* The Kerberos authentication module now honors the custom password
prompt if one has been specified.
* The embedded copy of zlib has been updated to version 1.2.12.
* Updated the version of libtool used by sudo to version 2.4.7.
* Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
in the header files (currently only GNU libc). This is required
to allow the use of 64-bit time values on some 32-bit systems.
* Sudo's "intercept" and "log_subcmds" options no longer force the
command to run in its own pseudo-terminal. It is now also
possible to intercept the system(3) function.
* Fixed a bug in sudo_logsrvd when run in store-first relay mode
where the commit point messages sent by the server were incorrect
if the command was suspended or received a window size change
event.
* Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
configuration setting was used.
* The "intercept" and "log_subcmds" functionality can now use
ptrace(2) on Linux systems that support seccomp(2) filtering.
This has the advantage of working for both static and dynamic
binaries and can work with sudo's SELinux RBAC mode. The following
architectures are currently supported: i386, x86_64, aarch64,
arm, mips (log_subcmds only), powerpc, riscv, and s390x. The
default is to use ptrace(2) where possible; the new "intercept_type"
sudoers setting can be used to explicitly set the type.
* New Georgian translation from translationproject.org.
* Fixed creating packages on CentOS Stream.
* Fixed a bug in the intercept and log_subcmds support where
the execve(2) wrapper was using the current environment instead
of the passed environment pointer. Bug #1030.
* Added AppArmor integration for Linux. A sudoers rule can now
specify an APPARMOR_PROFILE option to run a command confined by
the named AppArmor profile.
* Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
Non-paths were being treated as paths and an actual path was
treated as an error.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
pango and the PDF tools as core parts are linked against
libtiff, therefore this library has to become a part of the
core distribution too.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
On one hand, the key.dns_resolver binary is linked against libkrb5, so this
library at least is required by the base system.
On the other hand this easily allows different services on the firewall
to use kerberos for authentication (ssh etc).
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This script runs aside of OpenVPN and connects to the management socket.
On the socket, OpenVPN will post any new clients trying to authenticate
which will be handled by the authenticator.
If a client has 2FA enabled, it will be challanged for the current token
which will then be checked in a second pass.
Clients which do not have 2FA enabled will just be authenticated no
matter what and tls-verify will have handled the rest.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.30/doc/arm/html/notes.html#notes-for-bind-9-16-30
"Bug Fixes
The fetches-per-server quota is designed to adjust itself downward
automatically when an authoritative server times out too frequently.
Due to a coding error, that adjustment was applied incorrectly,
so that the quota for a congested server was always set to 1. This
has been fixed. [GL #3327]
DNSSEC-signed catalog zones were not being processed correctly. This
has been fixed. [GL #3380]
Key files were updated every time the dnssec-policy key manager ran,
whether the metadata had changed or not. named now checks whether
changes were applied before writing out the key files. [GL #3302]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
