- libfmt required in run time by mpd
- mpd changelog specifically said fmt was a build only dependency
- Bug#12909 flagged up that fmt was also a run time dependency for mpd
Fixes: Bug#12909
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Sodium is a new, easy-to-use software library for encryption,
decryption, signatures, password hashing and more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- rootfile has all entries commented out as not needed for execution only build
Fixes: Bug#12611
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
To quote from the kernel documentation:
> If you say Y here, the layouts of structures that are entirely
> function pointers (and have not been manually annotated with
> __no_randomize_layout), or structures that have been explicitly
> marked with __randomize_layout, will be randomized at compile-time.
> This can introduce the requirement of an additional information
> exposure vulnerability for exploits targeting these structure
> types.
>
> Enabling this feature will introduce some performance impact,
> slightly increase memory usage, and prevent the use of forensic
> tools like Volatility against the system (unless the kernel
> source tree isn't cleaned after kernel installation).
>
> The seed used for compilation is located at
> scripts/gcc-plgins/randomize_layout_seed.h. It remains after
> a make clean to allow for external modules to be compiled with
> the existing seed and will be removed by a make mrproper or
> make distclean.
>
> Note that the implementation requires gcc 4.7 or newer.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2
"Features
Merge #718: Introduce infra-cache-max-rtt option to config max retransmit timeout.
Bug Fixes
Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing
for one loop pass'.
Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT
on outbound tcp sockets.
Fix verbose EDE error printout.
Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
For windows crosscompile, fix setting the IPV6_MTU socket option
equivalent (IPV6_USER_MTU); allows cross compiling with latest cross-compiler versions.
Merge PR 714: Avoid treat normal hosts as unresponsive servers. And fixup the lock code.
iana portlist update.
Update documentation for 'outbound-msg-retry:'.
Tests for ghost domain fixes."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
> Significance: Critical
>
> In support of Kernel Address Space Layout Randomization (KASLR) this randomizes
> the physical address at which the kernel image is decompressed and the virtual
> address where the kernel image is mapped as a security feature that deters
> exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things
may have been improved, so let's give this low-hanging fruit another
try.
Fixes: #12363
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
If available, the kernel will enable IOMMU (a/k/a DMA remapping) by
default on boot. To tools making use of that, particularly hypervisors,
this provides better security without any downsides.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Please refer to https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.57
for the changelog of this version. Since it introduces
architecture-dependent rootfile changes due to CPU side-channel
mitigations, changes to ARM rootfiles have been omitted due to the lack
of hardware.
Supposed hardening changes will be submitted separately.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.31/doc/arm/html/notes.html#notes-for-bind-9-16-31
Excerpt from changelog:
" --- 9.16.31 released ---
5917. [bug] Update ifconfig.sh script as is miscomputed interface
identifiers when destroying interfaces. [GL #3061]
5915. [bug] Detect missing closing brace (}) and computational
overflows in $GENERATE directives. [GL #3429]
5913. [bug] Fix a race between resolver query timeout and
validation in resolver.c:validated(). Remove
resolver.c:maybe_destroy() as it is no loger needed.
[GL #3398]
5909. [bug] The server-side destination port was missing from dnstap
captures of client traffic. [GL #3309]
5905. [bug] When the TCP connection would be closed/reset between
the connect/accept and the read, the uv_read_start()
return value would be unexpected and cause an assertion
failure. [GL #3400]
5903. [bug] When named checks that the OPCODE in a response matches
that of the request, if there is a mismatch named logs
an error. Some of those error messages incorrectly
used RCODE instead of OPCODE to lookup the nemonic.
This has been corrected. [GL !6420]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-1
"Features
Fix#704: [FR] Statistics counter for number of outgoing UDP queries
sent; introduces 'num.query.udpout' to the 'unbound-control stats'
command.
Bug Fixes
makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
Fix for edns client subnet to respect not looking in its cache when
instructed to do so (e.g., prefetch).
Merge PR #688: Rpz url notify issue.
Note in the unbound.conf text that NOTIFY is allowed from the 'url:'
addresses for auth and rpz zones.
Remove unused LDNS function check for GOST Engine unloading.
Fix for loading locally stored zones that have lines with blanks or
blanks and comments.
Fix#663: use after free issue with edns options.
Clarify -v flag manpage entry (#705)
Fix test program dohclient close to use portability routine.
Show the output of the exact .rpl run that failed with 'make test'.
Fix for cached 0 TTL records to not trigger prefetching when
serve-expired-client-timeout is set.
Add debug option to the mini_tdir.sh test code.
Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
Allow fallback to the parent side when MAX_TARGET_NX is reached. This
will also allow MAX_TARGET_NX more NXDOMAINs.
iana portlist update.
Fix detection of libz on windows compile with static option.
Fix compile warning for windows compile.
Merge PR #706: NXNS fallback.
From #706: Cached NXDOMAIN does not increase the target nx responses.
From #706: Don't generate parent side queries if we already have the
lame records in cache.
From #706: When a lame address is the best choice, don't try to
generate target queries when the missing targets are all lame.
Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS mode
on openssl3.
Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
For #660: formatting, less verbose logging, add EDE information.
Fix for correct openssl error when adding windows CA certificates to
the openssl trust store.
Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
Reintroduce documentation and more EDE support for
val_sigcrypt.c::dnskeyset_verify_rrset_sig.
Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
outbound tcp sockets."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 8.2 to 9.0
- Update of rootfile
- Remove gcc10 detection patch as this is now built into the source tarball
- Update hardening crash patch. The issue related to the gcc10 patch seems to suggest
that when that is fixed then the hardening crash patch is not required but it wasn't
100% clear. So I have left the patch in place as it only changes one line and if it
worked with the earlier versions then it should also work now. If it is decided that
it is not needed then it can always be removed at a future update.
- Changelog is massive with over 30000 lines.
vim provides fixed updates such as 8.2 and 9.0 but then issues very frequent patch
updates. For version 8.2 there are 5172 patch updates none of which have been applied
to IPFire. All of these are now built into version 9.0
https://vimhelp.org/version9.txt.html#new-9 provides the details of what is new with
version 9.0, including details of all the 5172 patches.
- Key thing for version 9.0 is that there is a new Vim9 script language which is not
backwards compatible. However the old legacy script language will continue to be
supported so all old scripts can continue to be used.
- Version 9.0 already has 48 patches released. The releases occur virtually every day
with several days having multiple patch releases.
- Once this 9.0 version of vim has been confirmed to work successfully by people
experienced in using vim (I struggle to remember the set of characters to press to
exit from an editing session), then my plan is to periodically submit an update of the
patches, although some may be missed out as they are not relevant for IPFire - such
as deleting Travis CI config and improving the recognition of some Visual Basic files.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
