- Update from 2.11.0 to 2.11.1
- Update of rootfile
- Changelog is too long to include here - more than 1500 lines.
Details can be found in the ChangeLog file in the source tarball.
24 bug fixes listed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 2.4.1 to 2.4.2
- Update of rootfile
- Changelog
Release 2.4.2 Sun December 19 2021
Other changes:
#509#510 Link againgst libm for function "isnan"
#513#514 Include expat_config.h as early as possible
#498 Autotools: Include files with release archives:
- buildconf.sh
- fuzz/*.c
#507#519 Autotools: Sync CMake templates
#495#524 CMake: MinGW: Fix pkg-config section "Libs" for
- non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
- multi-config CMake generators (e.g. Ninja Multi-Config)
#502#503 docs: Document that function XML_GetBuffer may return NULL
when asking for a buffer of 0 (zero) bytes size
#522#523 docs: Fix return value docs for both
XML_SetBillionLaughsAttackProtection* functions
#525#526 Version info bumped from 9:1:8 to 9:2:8;
see https://verbump.de/ for what these numbers do
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 8.6.11 to 8.6.12
- Update of rootfile
- Changelog is no longer supported by tcl. All changes are put into a timeline which can
be viewed at https://core.tcl-lang.org/tcl/timeline although I can't figure out from
the timeline what change goes with what version. Hopefully other people are better
able to understand the information. This timelien cannot be easily summarised or
copied into this commit.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 10.37 to 10.39
- Update of rootfile
- Changelog
Version 10.39 29-October-2021
1. Fix incorrect detection of alternatives in first character search in JIT.
2. Merged patch from @carenas (GitHub #28):
Visual Studio 2013 includes support for %zu and %td, so let newer
versions of it avoid the fallback, and while at it, make sure that
the first check is for DISABLE_PERCENT_ZT so it will be always
honoured if chosen.
prtdiff_t is signed, so use a signed type instead, and make sure
that an appropiate width is chosen if pointers are 64bit wide and
long is not (ex: Windows 64bit).
IMHO removing the cast (and therefore the positibilty of truncation)
make the code cleaner and the fallback is likely portable enough
with all 64-bit POSIX systems doing LP64 except for Windows.
3. Merged patch from @carenas (GitHub #29) to update to Unicode 14.0.0.
4. Merged patch from @carenas (GitHub #30):
* Cleanup: remove references to no longer used stdint.h
Since 19c50b9d (Unconditionally use inttypes.h instead of trying for stdint.h
(simplification) and remove the now unnecessary inclusion in
pcre2_internal.h., 2018-11-14), stdint.h is no longer used.
Remove checks for it in autotools and CMake and document better the expected
build failures for systems that might have stdint.h (C99) and not inttypes.h
(from POSIX), like old Windows.
* Cleanup: remove detection for inttypes.h which is a hard dependency
CMake checks for standard headers are not meant to be used for hard
dependencies, so will prevent a possible fallback to work.
Alternatively, the header could be checked to make the configuration fail
instead of breaking the build, but that was punted, as it was missing anyway
from autotools.
5. Merged patch from @carenas (GitHub #32):
* jit: allow building with ancient MSVC versions
Visual Studio older than 2013 fails to build with JIT enabled, because it is
unable to parse non C89 compatible syntax, with mixed declarations and code.
While most recent compilers wouldn't even report this as a warning since it
is valid C99, it could be also made visible by adding to gcc/clang the
-Wdeclaration-after-statement flag at build time.
Move the code below the affected definitions.
* pcre2grep: avoid mixing declarations with code
Since d5a61ee8 (Patch to detect (and ignore) symlink loops in pcre2grep,
2021-08-28), code will fail to build in a strict C89 compiler.
Reformat slightly to make it C89 compatible again.
Version 10.38 01-October-2021
1. Fix invalid single character repetition issues in JIT when the repetition
is inside a capturing bracket and the bracket is preceeded by character
literals.
2. Installed revised CMake configuration files provided by Jan-Willem Blokland.
This extends the CMake build system to build both static and shared libraries
in one go, builds the static library with PIC, and exposes PCRE2 libraries
using the CMake config files. JWB provided these notes:
- Introduced CMake variable BUILD_STATIC_LIBS to build the static library.
- Make a small modification to config-cmake.h.in by removing the PCRE2_STATIC
variable. Added PCRE2_STATIC variable to the static build using the
target_compile_definitions() function.
- Extended the CMake config files.
- Introduced CMake variable PCRE2_USE_STATIC_LIBS to easily switch between
the static and shared libraries.
- Added the PCRE_STATIC variable to the target compile definitions for the
import of the static library.
Building static and shared libraries using MSVC results in a name clash of
the libraries. Both static and shared library builds create, for example, the
file pcre2-8.lib. Therefore, I decided to change the static library names by
adding "-static". For example, pcre2-8.lib has become pcre2-8-static.lib.
[Comment by PH: this is MSVC-specific. It doesn't happen on Linux.]
3. Increased the minimum release number for CMake to 3.0.0 because older than
2.8.12 is deprecated (it was set to 2.8.5) and causes warnings. Even 3.0.0 is
quite old; it was released in 2014.
4. Implemented a modified version of Thomas Tempelmann's pcre2grep patch for
detecting symlink loops. This is dependent on the availability of realpath(),
which is now tested for in ./configure and CMakeLists.txt.
5. Implemented a modified version of Thomas Tempelmann's patch for faster
case-independent "first code unit" searches for unanchored patterns in 8-bit
mode in the interpreters. Instead of just remembering whether one case matched
or not, it remembers the position of a previous match so as to avoid
unnecessary repeated searching.
6. Perl now locks out \K in lookarounds, so PCRE2 now does the same by default.
However, just in case anybody was relying on the old behaviour, there is an
option called PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK that enables the old behaviour.
An option has also been added to pcre2grep to enable this.
7. Re-enable a JIT optimization which was unintentionally disabled in 10.35.
8. There is a loop counter to catch excessively crazy patterns when checking
the lengths of lookbehinds at compile time. This was incorrectly getting reset
whenever a lookahead was processed, leading to some fuzzer-generated patterns
taking a very long time to compile when (?|) was present in the pattern,
because (?|) disables caching of group lengths.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
These are all not present on current IPFire versions, so there is no
sense in letting collectd keeping track of them.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Full changelog as given in the NEWS file:
kmod 29
=======
- Improvements
- Add support to use /usr/local as a place for configuration files. This makes it easier
to install locally without overriding distro files.
- Bug fixes
- Fix `modinfo -F` when module is builtin: when we asked by a specific field from modinfo,
it was not working correctly if the module was builtin
- Documentation fixes on precedence order of /etc and /run: the correct order is
/etc/modprobe.d, /run/modprobe.d, /lib/modprobe.d
- Fix the priority order that we use for searching configuration files. The
correct one is /etc, /run, /usr/local/lib, /lib, for both modprobe.d
and depmo.d
- Fix kernel command line parsing when there are quotes present. Grub
mangles the command line and changes it from 'module.option="val with
spaces"' to '"module.option=val with spaces"'. Although this is weird
behavior and grub could have been fixed, the kernel understands it
correctly for builtin modules. So change libkmod to also parse it
correctly. This also brings another hidden behavior from the kernel:
newline in the kernel command line is also allowed and can be used to
separate options.
- Fix a memory leak, overflow and double free on error path
- Fix documentation for return value from kmod_module_get_info(): we
return the number of entries we added to the list
- Fix output of modules.builtin.alias.bin index: we were writing an empty file due to
the misuse of kmod_module_get_info()
- Infra/internal
- Retire integration with semaphoreci
- Declare the github mirror also as an official upstream source: now besides accepting
patches via mailing list, PRs on github are also acceptable
- Misc improvements to testsuite, so we can use it reliably regardless
of the configuration used: now tests will skip if we don't have the
build dependencies)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
This includes new and changed firmware files, to avoid shipping a lot of
unchanged files. Upstream deleted files will be deleted on the
installations as well.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 3.0.3 to 3.0.6
- Communication had with cisofy about the website and github versions of lynis and the
lack of a signature file on github. Following response received from Michael Boelen
of cisofy.
"GitHub releases are different as they (the tarballs) are created by GitHub itself. So
yes, the hashes will differ. In fact, the contents of the files will be different as
well. These files are not signed by GitHub or us. We consider GitHub the work version.
When we release a new version, we tag them on GitHub with a version as well. For the
stable releases, use the version on the website."
- Based on the above the version used in this build is from the website. The signature
file for version 3.0.6 on the website is now available.
- The lynis-3.0.6.tar.gz in the IPFire Source location will probably need to be removed
as it is from the Github location and running ./make.sh uploadsrc will probably not
upload the correct version because the filenames are the same. The tarball used in this
patch was from https://cisofy.com/downloads/lynis/
- The lfs file modified to take account of the tarball expanding to just lynis without
any version number. Also the rm -rf line has been modified due to the file differences
with the previous Github versions.
- Update rootfile to take account of the plugin_pam_phase1 and plugin_systemd_phase1
plugins not being included in the cisofy website version of the tarball. If these two
plugins that are available for community users are needed then they have to be
downloaded separately from cisofy via an email subscription to the notification test.
All other plugins are only available for paying customers.
- Changelog
Version 3.0.6 (2021-07-22)
### Added
- OS detection: Artix Linux, macOS Monterey, NethServer, openSUSE MicroOS
- Check for outdated translation files
### Changed
- DBS-1826 - Check if PostgreSQL is being used
- DBS-1828 - Test multiple PostgreSQL configuration file(s)
- KRNL-5830 - Sort kernels by version instead of modification date
- PKGS-7410 - Don't show exception for systems using LXC
- GetHostID function: fallback options added for Linux systems
- Fix: macOS Big Sur detection
- Fix: show correct text when egrep is missing
- Fix: variable name for PostgreSQL
- German and Spanish translations extended
Version 3.0.5 (2021-07-02)
### Added
- OS detection of Arch Linux 32, BunsenLabs Linux, and Rocky Linux
- CRYP-8006 - Check MemoryOverwriteRequest bit to protect against cold-boot attacks (Linux)
### Changed
- ACCT-9622 - Corrected typo
- HRDN-7231 - When calling wc, use the short -l flag instead of --lines (Busybox compatibility)
- PKGS-7320 - extended to Arch Linux 32
- Generation of host identifiers (hostid/hostid2) extended
- Linux host identifiers are now using ip as preferred input source
- Improved logging in several areas
Version 3.0.4 (2021-05-11)
### Added
- ACCT-9670 - Detection of cmd tooling
- ACCT-9672 - Test cmd configuration file
- BOOT-5140 - Check for ELILO boot loader presence
- OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others
### Changed
- BOOT-5104 - Add service manager detection support for runit
- FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist
- FIRE-4540 - Corrected nftables empy ruleset test
- LOGG-2138 - Do not check for klogd when metalog is being used
- TIME-3185 - Improved support for Debian stretch
- Corrected issue when Lynis is not executed directly from lynis directory
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- util-macros was originally installed as a build requirement for pciaccess which is
a dependency of libvirt
- Along the way of updates of pciaccess the build requirement for util-macros is no
longer needed. pciaccess built without problems with util-macros removed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 10.2 to 11.1
- Update of rootfile
- Changelog
Version 11.1 of GDB includes the following changes and enhancements:
Support for ARM Symbian (arm*-*-symbianelf*) has been removed.
Building GDB now requires GMP (The GNU Multiple Precision Arithmetic Library).
New command-line options "--early-init-command" (or "-eix") and
"--early-init-eval-command" (or "-eiex")
GDB/MI Changes:
New --qualified option for the '-break-insert' and '-dprintf-insert' commands.
New --force-condition option for the '-break-insert' and '-dprintf-insert' commands.
New --force option for the '-break-condition' command.
The '-file-list-exec-source-files' now accepts an optional regular expression to
filter the source files included in the result.
The results from '-file-list-exec-source-files' now include a 'debug-fully-read'
field to indicate if the corresponding source's debugging information has been
partially read (false) or has been fully read (true).
TUI Improvements:
Mouse actions are now supported. The mouse wheel scrolls the appropriate window.
Key combinations that do not have a specific action on the focused window are now
passed to GDB.
Python enhancements:
Inferior objects now contain a read-only 'connection_num' attribute that gives the
connection number as seen in 'info connections' and 'info inferiors'.
New method gdb.Frame.level() which returns the stack level of the frame object.
New method gdb.PendingFrame.level() which returns the stack level of the frame
object.
When hitting a catchpoint, the Python API will now emit a gdb.BreakpointEvent
rather than a gdb.StopEvent. The gdb.Breakpoint attached to the event will have
type BP_CATCHPOINT.
Python TUI windows can now receive mouse click events. If the Window object
implements the click method, it is called for each mouse click event in this
window.
New setting "python ignore-environment on|off"; if "on", causes GDB's builtin
Python to ignore any environment variable that would otherwise affect how Python
behaves (needs to be set during "early initialization" (see above).
New setting "python dont-write-bytecode auto|on|off".
Guile API enhancements:
Improved support for rvalue reference values.
New procedures for obtaining value variants: value-reference-value,
value-rvalue-reference-value and value-const-value.
New "qMemTags" and "QMemTags" remote protocol packets (associated with Memory Tagging).
GDB will now look for the .gdbinit file in a config directory before looking for
~/.gdbinit. The file is searched for in the following locations: $XDG_CONFIG_HOME/gdb/gdbinit, $HOME/.config/gdb/gdbinit, $HOME/.gdbinit. On Apple hosts the search order is instead: $HOME/Library/Preferences/gdb/gdbinit, $HOME/.gdbinit.
The "break [...] if CONDITION" command no longer returns an error when the condition
is invalid at one or more locations. Instead, if the condition is valid at one or
more locations, the locations where the condition is not valid are disabled.
The behavior of the "condition" command is changed to match the new behavior of the
"break" command.
Support for general memory tagging functionality (currently limited to AArch64 MTE)
Core file debugging now supported for x86_64 Cygwin programs.
New "org.gnu.gdb.riscv.vector" feature for RISC-V targets.
GDB now supports fixed point types which are described in DWARF as base types with a
fixed-point encoding. Additionally, support for the DW_AT_GNU_numerator and
DW_AT_GNU_denominator has also been added.
Miscellaneous:
New "startup-quietly on|off" setting; when "on", behaves the same as passing the
"-silent" option on the command line.
New "print type hex on|off" setting; when 'on', the 'ptype' command uses
hexadecimal notation to print sizes and offsets of struct members. When 'off',
decimal notation is used.
The "inferior" command, when run without argument, prints information about the
current inferior.
The "ptype" command now supports "/x" and "/d", affecting the base used to print
sizes and offsets.
The output of the "info source" has been restructured.
New "style version foreground | background | intensity" commands to control the
styling of the GDB version number.
Various debug and maintenance commands (mostly useful for the GDB developers)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
we have removed the -multi after the kernel name but
in the update script delete *-multi-* which leftover
the arm specific dtb folder and uImages.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Add ms-classless-static-routes and rfc3442-classless-static-routes as options for dhcp
These are apparently required for deployiong classless IP routes
- Original static-routes option is not intended for classless IP routing but is being
left in place for backward compatibility
- The option "rfc3442-classless-static-routes" is for normal clients
- The option "ms-classless-static-routes" is for Microsoft clients
Fixes: bug 12291
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
For details see:
https://dlcdn.apache.org//httpd/CHANGES_2.4.52
Excerpt from changelog:
""Changes with Apache 2.4.52
*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
multipart content in mod_lua of Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A carefully crafted request body can cause a buffer overflow in
the mod_lua multipart parser (r:parsebody() called from Lua
scripts).
The Apache httpd team is not aware of an exploit for the
vulnerabilty though it might be possible to craft one.
This issue affects Apache HTTP Server 2.4.51 and earlier.
Credits: Chamal
*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
forward proxy configurations in Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A crafted URI sent to httpd configured as a forward proxy
(ProxyRequests on) can cause a crash (NULL pointer dereference)
or, for configurations mixing forward and reverse proxy
declarations, can allow for requests to be directed to a
declared Unix Domain Socket endpoint (Server Side Request
Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
(included).
Credits: 漂亮é¼
TengMA(@Te3t123)
..."
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
The parsers for those are disabled in the suricata config so
the rules are not needed, on the contrary they massively will spam
warnings when launching suricate because of the disabled parsers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
In order to be able to run the ISO command on command line it is helpful
that the script does not go into background halfway through the process.
We should rather start it as a background job straight from the CGI
script.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch is changing the behaviour of the backup script so that it
creates one tarball and compresses it in one go.
This will save storing the original tarball on disk before compressing
it which on my test system requires significant disk space.
This patch also solves a bug where the backup file included with the ISO
image could not be extracted because it was not gzip-compressed when it
was expected to be.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 4.14.0.4 to 4.15.0.1
- Update of rootfile
- Changelog
v4.15.0.1
rebased with official coreboot repository commit 6973a3e7
v4.14.0.6
rebased with official coreboot repository commit d06c0917
Re-added GPIO bindings to fix LED and button functionality
v4.14.0.5
rebased with official coreboot repository commit d4c55353
Updated CPU declarations in ACPI to comply with newer ACPI standard
Removed GPIO bindings to fix conflict with OS drivers
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
