The GPL is not an EULA and so there is no value in having users
accept it.
The UI is very broken and so I believe it is best to drop this entirely.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.1 to 3.3.0
- Update of rootfile
- Changelog
3.3
This release adds the following new features:
* Support for qlog for tracing QUIC connections has been added
* Added APIs to allow configuring the negotiated idle timeout for QUIC
connections, and to allow determining the number of additional streams
that can currently be created for a QUIC connection.
* Added APIs to allow disabling implicit QUIC event processing for QUIC SSL
objects
* Added APIs to allow querying the size and utilisation of a QUIC stream's
write buffer
* New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
condition in an optimised way when using QUIC.
* Limited support for polling of QUIC connection and stream objects in a
non-blocking manner.
* Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
times with different output sizes.
* Added exporter for CMake on Unix and Windows, alongside the pkg-config
exporter.
* The BLAKE2s hash algorithm matches BLAKE2b's support for configurable
output length.
* The EVP_PKEY_fromdata function has been augmented to allow for the
derivation of CRT (Chinese Remainder Theorem) parameters when requested
* Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
using time_t which is Y2038 safe on 32 bit systems when 64 bit time
is enabled
* Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
ignored and the configuration will still be used.
* Added `-set_issuer` and `-set_subject` options to `openssl x509` to
override the Issuer and Subject when creating a certificate. The `-subj`
option now is an alias for `-set_subject`.
* Added several new features of CMPv3 defined in RFC 9480 and RFC 9483
* New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3
server to prefer session resumption using PSK-only key exchange over PSK
with DHE, if both are available.
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded.
* Added X509_STORE_get1_objects to avoid issues with the existing
X509_STORE_get0_objects API in multi-threaded applications.
This release incorporates the following potentially significant or incompatible
changes:
* Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
* Optimized AES-CTR for ARM Neoverse V1 and V2
* Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
similar to M1/M2.
* Various optimizations for cryptographic routines using RISC-V vector crypto
extensions
* Added assembly implementation for md5 on loongarch64
* Accept longer context for TLS 1.2 exporters
* The activate and soft_load configuration settings for providers in
openssl.cnf have been updated to require a value of [1|yes|true|on]
(in lower or UPPER case) to enable the setting. Conversely a value
of [0|no|false|off] will disable the setting.
* In `openssl speed`, changed the default hash function used with `hmac` from
`md5` to `sha256`.
* The `-verify` option to the `openssl crl` and `openssl req` will make the
program exit with 1 on failure.
* The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
related functions have been augmented to check for a minimum length of
the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
* OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
if called with a NULL stack argument.
* New limit on HTTP response headers is introduced to HTTP client. The
default limit is set to 256 header lines.
This release incorporates the following bug fixes and mitigations:
* The BIO_get_new_index() function can only be called 127 times before it
reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its
exhausted.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.9.0
"RRDtool 1.9.0 — 2024-07-29
Bugfixes
Fix ytop and ybase adjustments for overlaping area issue on transparent areas @turban
Suppress warnings of implicit fall through @youpong
Update tarball download link in doc @c72578
Fix unsigned integer overflow in rrdtool first. Add test for rrd_first() @c72578
Fix tests under MSYS2 (Windows) @c72578
Fix BUILD_DATE in rrdtool help output @c72578
acinclude.m4: Include <stdlib.h> when using exit @ryandesign
rrdtool-release: Create NUMVERS from VERSION file @c72578
Avoids leaking of file descriptors in multi threaded programs by @ensc
Avoids potential unterminated string because of fixed PATH_MAX buffer
Fix extra reference of parameters of rrd_fetch_dbi_{long,double} @jamborm"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.14 to 2.15.1
- Update of rootfile not required
- Changelog
2.15.1
o OSPF: Fix regression in handling PtP links
o RPKI: Handle connection resets properly
o Static: Reject invalid combination of options
o Fix builds with limited set of protocols
2.15
o BGP: Send hold timer
o BGP: New options to specify required BGP capabilities
o BFD: Improvements to 'show bfd sessions' command
o RPKI: New 'local address' configuration option
o Linux: Support for more route attributes, including
TCP congestion control algorithm
o Support for UDP logging
o Static routes can have both nexthop and interface specified
o Completion of command options in BIRD client
o Many bugfixes and improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
According to the documentation, Vectorscan checks whether the CPU is
supporting the minimum requirement of SSE4.2. However the check is still
checking for SSSE3 which makes the library fail on systems without
SSE4.2.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.24.0 to 1.26.1
- Update of rootfile not required
- Version 1.24.0 is now a legacy version, no longer being supported. Stable version has
changed to 1.26.x series.
- Various CVE fixes in 1.26.1 and in 1.25.4, the development branch that became 1.26.0,
that the legacy version 1.24.0 is also vulnerable to.
- Changelog
1.26.1
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
*) Bugfix: reduced memory consumption for long-lived requests if "gzip",
"gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the --with-atomic
option was used.
*) Bugfix: in HTTP/3.
1.26.0
*) 1.26.x stable branch.
1.25.5
*) Feature: virtual servers in the stream module.
*) Feature: the ngx_stream_pass_module.
*) Feature: the "deferred", "accept_filter", and "setfib" parameters of
the "listen" directive in the stream module.
*) Feature: cache line size detection for some architectures.
*) Feature: support for Homebrew on Apple Silicon.
*) Bugfix: Windows cross-compilation bugfixes and improvements.
*) Bugfix: unexpected connection closure while using 0-RTT in QUIC.
1.25.4
*) Security: when using HTTP/3 a segmentation fault might occur in a
worker process while processing a specially crafted QUIC session
(CVE-2024-24989, CVE-2024-24990).
*) Bugfix: connections with pending AIO operations might be closed
prematurely during graceful shutdown of old worker processes.
*) Bugfix: socket leak alerts no longer logged when fast shutdown was
requested after graceful shutdown of old worker processes.
*) Bugfix: a socket descriptor error, a socket leak, or a segmentation
fault in a worker process (for SSL proxying) might occur if AIO was
used in a subrequest.
*) Bugfix: a segmentation fault might occur in a worker process if SSL
proxying was used along with the "image_filter" directive and errors
with code 415 were redirected with the "error_page" directive.
*) Bugfixes and improvements in HTTP/3.
1.25.3
*) Change: improved detection of misbehaving clients when using HTTP/2.
*) Feature: startup speedup when using a large number of locations.
Thanks to Yusuke Nojima.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 without SSL; the bug had appeared in 1.25.1.
*) Bugfix: the "Status" backend response header line with an empty
reason phrase was handled incorrectly.
*) Bugfix: memory leak during reconfiguration when using the PCRE2
library.
*) Bugfixes and improvements in HTTP/3.
1.25.2
*) Feature: path MTU discovery when using HTTP/3.
*) Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using
HTTP/3.
*) Change: now nginx uses appname "nginx" when loading OpenSSL
configuration.
*) Change: now nginx does not try to load OpenSSL configuration if the
--with-openssl option was used to built OpenSSL and the OPENSSL_CONF
environment variable is not set.
*) Bugfix: in the $body_bytes_sent variable when using HTTP/3.
*) Bugfix: in HTTP/3.
1.25.1
*) Feature: the "http2" directive, which enables HTTP/2 on a per-server
basis; the "http2" parameter of the "listen" directive is now
deprecated.
*) Change: HTTP/2 server push support has been removed.
*) Change: the deprecated "ssl" directive is not supported anymore.
*) Bugfix: in HTTP/3 when using OpenSSL.
1.25.0
*) Feature: experimental HTTP/3 support.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
"All good things go by three..."
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.62
"Changes with Apache 2.4.62
*) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to
a malicious server via SSRF and malicious requests.
Users are recommended to upgrade to version 2.4.62 which fixes
this issue.
Credits: Smi1e (DBAPPSecurity Ltd.)
*) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
A partial fix for CVE-2024-39884 in the core of Apache HTTP
Server 2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.62, which fixes
this issue.
*) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
with BalancerMember(s). PR 69168. [Yann Ylavic]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
PR 69160 [Yann Ylavic]
*) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
[Joe Orton]
*) mod_ssl: Add support for loading certs/keys from pkcs11: URIs
via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>]
*) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
[Ruediger Pluem, Yann Ylavic]
*) mpm_worker: Fix possible warning (AH00045) about children processes not
terminating timely. [Yann Ylavic]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Commit has been made in mpd but no release has yet been made with the change. When the
next version release of mpd occurs this patch can be removed.
- The patch changes all format calls to be const . Without this patch mpd will not build
with fmt-11.0.0 or newer.
- Update of rootfile not required.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
