Originally announced for Core Update 176, this step was postponed until
Core Update 177 due to my fault of having shipped all necessary
dependencies for OpenSSL 3.x in Core Update 175 properly.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
http://lists.squid-cache.org/pipermail/squid-users/2023-July/025929.html
"The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-6.1 release!
This release is we believe, stable enough for general production use.
Support for Squid-5 bug fixes has now officially ceased. Bugs in 5.x
will continue to be fixed, however the fixes will be added to the 6.x
series. All users of Squid-5.x are encouraged to plan for upgrades."
And:
http://www.squid-cache.org/Versions/v6/RELEASENOTES.html
v6 is running since 6.0.1 here in production use without any seen problems...
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- When cups is installed (including when doing a Core Update that includes a cups update)
the 5 min delay for starting cups means that it has not restarted by the time that the
reboot for the CU has been started. There are then error messages that say that cups
couldn't be stopped as it was not running.
- When a normal reboot is carried out withoutr any update of cups then the startup has
no delay and it starts without any trouble.
- This patch removes the 300 secs delay from the start_service line in the install.sh paks
file.
- The PAK_VER is bumped to ensure that this change is shipped
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Removal of lfs file
- Removal of rootfile
- Removal of backup includes file
- Removal of three patches
- Removal of paks files
- Adjustment of make.sh to remove squidclamav
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 20230404 to 20230625
- Update of rootfile carried out based on Peter Mueller's description from last
linux-firmware update.
- It would be good to have it checked that my results are in line with what they should be.
- Changelog
For changes see the commits in the git repo
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Patch provided by bug reporter. Here is the description of the problem from the bug.
First I discovered that the helper only sometimes throwing the error and quits even
for the same values and queries. Also the timespan until the error happens was quite
different for every restart of squid (minutes to hours). And it does not depend on
the traffic on the proxy, even one connection could cause a crash while ten or
hundrets won't. After a few days of testing different solutions and done a lot of
debugging, redesigning the function did not fully solve the problem. Such standard
things like checking the result variable for NULL (or it's equivalent "is None" in
python) before evaluating it's subfunction produces the exact same error message. But
with that knowledge it more and more turns out that python3 sometimes 'detects' the
local return variable if it was a misused global. So for a full fix, the return
variable also has to be initialized that python3 won't detect it's usage as an
'UnboundLocalError' to succesfully fix this bug.
- LFS file updated to run patch before copying helper into place.
- Update of rootfile not needed.
- Bug reporter has been requested to raise this issue at the git repo for squid-asnbl.
Fixes: Bug#13023
Tested-by: Nicolas Pӧhlmann <business@hardcoretec.com>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.9.13p3 to 1.9.14
- Update of rootfile not required
- Changelog
Significant change is that use_pty is now defined as the default setting.
This parameter was made available back in version 1.8.0 but not as default.
It was implemented in response to a variety of CVE's related to being vulnerable to
privilege escalation via TIOCSTI and/or lesser-known TIOCLINUX command injection.
Apparently it was not made default as that would change the way that sudo worked.
As various existing bugs have been resolved it has now been declared by the sudo devs
that now sudo with a pseudo terminal works close to the same as with the users terminal
Hence in this version the use of the pseudo terminal is now default.
See https://github.com/sudo-project/sudo/issues/258 for more details.
1.9.14
Fixed a bug where if the intercept or log_subcmds sudoers option was enabled and a
sub-command was run where the first entry of the argument vector didn't match the
command being run. This resulted in commands like sudo su - being killed due to the
mismatch. Bug #1050.
The sudoers plugin now canonicalizes command path names before matching (where
possible). This fixes a bug where sudo could execute the wrong path if there are
multiple symbolic links with the same target and the same base name in sudoers that a
user is allowed to run. GitHub issue #228.
Improved command matching when a chroot is specified in sudoers. The sudoers plugin
will now change the root directory id needed before performing command matching.
Previously, the root directory was simply prepended to the path that was being
processed.
When NETGROUP_BASE is set in the ldap.conf file, sudo will now perform its own
netgroup lookups of the host name instead of using the system innetgr(3) function.
This guarantees that user and host netgroup lookups are performed using the same LDAP
server (or servers).
Fixed a bug introduced in sudo 1.9.13 that resulted in a missing " ; " separator
between environment variables and the command in log entries.
The visudo utility now displays a warning when it ignores a file in an include dir
such as /etc/sudoers.d.
When running a command in a pseudo-terminal, sudo will initialize the terminal
settings even if it is the background process. Previously, sudo only initialized the
pseudo-terminal when running in the foreground. This fixes an issue where a program
that checks the window size would read the wrong value when sudo was running in the
background.
Fixed a bug where only the first two digits of the TSID field being was logged.
Bug #1046.
The use_pty sudoers option is now enabled by default. To restore the historic behavior
where a command is run in the user's terminal, add Defaults !use_pty to the sudoers
file. GitHub issue #258.
Sudo's -b option now works when the command is run in a pseudo-terminal.
When disabling core dumps, sudo now only modifies the soft limit and leaves the hard
limit as-is. This avoids problems on Linux when sudo does not have CAP_SYS_RESOURCE,
which may be the case when run inside a container. GitHub issue #42.
Sudo configuration file paths have been converted to colon-separated lists of paths.
This makes it possible to have configuration files on a read-only file system while
still allowing for local modifications in a different (writable) directory. The new
--enable-adminconf configure option can be used to specify a directory that is
searched for configuration files in preference to the sysconfdir (which is usually
/etc).
The intercept_verify sudoers option is now only applied when the intercept option is
set in sudoers. Previously, it was also applied when log_subcmds was enabled.
The NETGROUP_QUERY ldap.conf parameter can now be disabled for LDAP servers that do
not support querying the nisNetgroup object by its nisNetgroupTriple attribute, while
still allowing sudo to query the LDAP server directly to determine netgroup
membership.
Fixed a long-standing bug where a sudoers rule without an explicit runas list allowed
the user to run a command as root and any group instead of just one of the groups
that root is a member of. For example, a rule such as myuser ALL = ALL would permit
sudo -u root -g othergroup even if root did not belong to othergroup.
Fixed a bug where a sudoers rule with an explicit runas list allowed a user to run
sudo commands as themselves. For example, a rule such as myuser ALL = (root) ALL,
myuser should only allow commands to be run as root (optionally using one of root's
groups). However, the rule also allowed the user to run sudo -u myuser -g myuser
command.
Fixed a bug that prevented the user from specifying a group on the command line via
sudo -g if the rule's Runas_Spec contained a Runas_Alias.
Sudo now requires a C99 compiler due to the use of flexible array members.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 4.2.8p15 to 4.2.8p17
- Update of rootfile not required
- Tested out on vm testbed. Time correctly updated every hour and pakfire was able to
download and install various addons without any problems indicating that the time
is working correctly.
- patch to enable build with glibc-2.34 no longer needed. ntp updated to work correctly
with glibc-2.34 but IPFire running with version 2.37. Version 2.4.8p17 built without
any problems without the patch.
- Changelog
4.2.8p17 2023/06/06 Released by Harlan Stenn <stenn@ntp.org>
* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
event_sync. Reported by Edward McGuire. <hart@ntp.org>
* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
<hart@ntp.org> Miroslav Lichvar identified regression in 4.2.8p16.
* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
4.2.8p15 or earlier. Reported by Matt Nordhoff, thanks to
Miroslav Lichvar and Matt for rapid testing and identifying the
problem. <hart@ntp.org>
* Add tests/libntp/digests.c to catch regressions reading keys file or with
symmetric authentication digest output.
4.2.8p16 2023/05/31 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
hypothetical input buffer overflow. Reported by ... stenn@
* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
- solved numerically instead of using string manipulation
* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
<stenn@ntp.org>
* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
* [Bug 3814] First poll delay of new or cleared associations miscalculated.
<hart@ntp.org>
* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
OpenSSL 3. Reported by rmsh1216@163.com <hart@ntp.org>
* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
- ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
- Report and patch by Yuezhen LUAN <wei6410@sina.com>.
* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
<hart@ntp.org>
* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
- Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
Philippe De Muyter <phdm@macqel.be>
* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
- openssl applink needed again for openSSL-1.1.1
* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
- command line options override config statements where applicable
- make initial frequency settings idempotent and reversible
- make sure kernel PLL gets a recovered drift componsation
* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
- misleading title; essentially a request to ignore the receiver status.
Added a mode bit for this. <perlinger@ntp.org>
* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
- original patch by Richard Schmidt, with mods & unit test fixes
* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
- implement/wrap 'realpath()' to resolve symlinks in device names
* [Bug 3691] Buffer Overflow reading GPSD output
- original patch by matt<ntpbr@mattcorallo.com>
- increased max PDU size to 4k to avoid truncation
* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
- patch by Frank Kardel
* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
- ntp{q,dc} now use the same password processing as ntpd does in the key
file, so having a binary secret >= 11 bytes is possible for all keys.
(This is a different approach to the problem than suggested)
* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
- patch by Gerry Garvey
* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
- applied patches by Gerry Garvey
* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
- idea+patch by Gerry Garvey
* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
- follow-up: fix inverted sense in check, reset shortfall counter
* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
- fixed bug identified by Edward McGuire <perlinger@ntp.org>
* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
Reported by Israel G. Lugo. <hart@ntp.org>
* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
Integrated patch from Brian Utterback. <hart@ntp.org>
* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
* Use correct rounding in mstolfp(). perlinger/hart
* M_ADDF should use u_int32. <hart@ntp.org>
* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
* If DEBUG is enabled, the startup banner now says that debug assertions
are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
* syslog valid incoming KoDs. <stenn@ntp.org>
* Rename a poorly-named variable. <stenn@ntp.org>
* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
* Use https in the AC_INIT URLs in configure.ac. <stenn@ntp.org>
* Implement NTP_FUNC_REALPATH. <stenn@ntp.org>
* Lose a gmake construct in ntpd/Makefile.am. <stenn@ntp.org>
* upgrade to: autogen-5.18.16
* upgrade to: libopts-42.1.17
* upgrade to: autoconf-2.71
* upgrade to: automake-1.16.15
* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
* Support OpenSSL-3.0
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
There are no functional changes in these files, but they are however
linked against OpenSSL 1.1.1 and need to be re-shipped before we remove
the legacy library.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This reverts commit aa8a659ab7.
This cannot be done, yet, because an updated system still has hundreds
of files using the old libraries. Those will have to be re-shipped first
before we actually remove OpenSSL 1.1.1.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog is too long to include it here, please refer to the ChangeLog
file in the sourcecode tarball.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
The function tries to figure out which networks are connected locally,
but VPN tunnels that use 0.0.0.0 and GRE/VTI interfaces will be
considered local and the proxy is being disabled for everyone.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.15.4 to 1.20.4
- Update of x86_64 rootfile
aarch64 rootfile needs to be created on a aarch64 build system
- Changelog is very large. For details see https://go.dev/doc/devel/release
50 mentions of security fixes in the changes from 1.15.4 to 1.20.4
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- In Core Update 175 lvm was updated and 69-dm-lvm-metad.rules was replaced with
69-dm-lvm.rules in the lvm rootfile.
- That previous patch update did not remove the no longer existing 69-dm-lvm-metad.rules
from existing installations. This patch corrects that.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
