- check_mk_agent, client175 & lcr are addons that have been removed so the backup
definitions are no longer required.
- dma is not a package but a core program and has its config backup requirements
built into the core backup include file so the addon backup definition is not
used or needed.
- No issues found in the build after these files were removed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this functions was removed from speed.cgi by reading kernel netowrk
statistics instead of parsing ip -s show ...
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
These are no longer necessary, since ddns 0.14 comes with both of them
applied.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 2.31.0 to 2.33.1
- Update rootfile
- Changelog is too long to show here. The details can be found in the 2.31.1.txt,
2.32.0.txt, 2.33.0.txt and 2.33.1.txt files in the Documentation/RelNotes
directory in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 7.78.0 to 7.79.1
- Update of rootfile not required
- Changelog
Fixed in 7.79.1 - September 22 2021
Bugfixes:
Curl_http2_setup: don't change connection data on repeat invokes
curl_multi_fdset: make FD_SET() not operate on sockets out of range
dist: provide lib/.checksrc in the tarball
FAQ: add GOPHERS + curl works on data, not files
hsts: CURLSTS_FAIL from hsts read callback should fail transfer
hsts: handle unlimited expiry
http: fix the broken >3 digit response code detection
strerror: use sys_errlist instead of strerror on Windows
test1184: disable
tests/sshserver.pl: make it work with openssh-8.7p1
Fixed in 7.79.0 - September 15 2021
Changes:
bearssl: support CURLOPT_CAINFO_BLOB
http: consider cookies over localhost to be secure
secure transport: support CURLINFO_CERTINFO
Bugfixes:
CVE-2021-22945: clear the leftovers pointer when sending succeeds
CVE-2021-22946: do not ignore --ssl-reqd
CVE-2021-22947: reject STARTTLS server response pipelining
ares: use ares_getaddrinfo()
asyn-ares.c: move all version number checks to the top
auth: do not append zero-terminator to authorisation id in kerberos
auth: properly handle byte order in kerberos security message
auth: use sasl authzid option in kerberos
auth: we do not support a security layer after kerberos authentication
BINDINGS.md: update links to use https where available
build: fix compiler warnings
c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
c-hyper: fix header value passed to debug callback
c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
c-hyper: initial step for 100-continue support
c-hyper: initial support for "dumping" 1xx HTTP responses
c-hyper: remove the hyper_executor_poll() loop from Curl_http
CI/cirrus: reduce compile time with increased parallism
CI: use GitHub Container Registry instead of Docker Hub
cirrus: Add FreeBSD 13.0 job and disable sanitizer build
cmake: avoid poll() on macOS
cmake: sync CURL_DISABLE options
codeql: fix error "Resource not accessible by integration"
compressed.d: it's a request, not an order
config.d: escape the backslash properly
config.d: note that curlrc is used even when --config
config: get rid of the unused HAVE_SIG_ATOMIC_T et. al.
configure.ac: revert bad nghttp2 library detection improvements
configure: error out if both ngtcp2 and quiche are specified
configure: make --disable-hsts work
configure: set classic mingw minimum OS version to XP
configure: tweak nghttp2 library name fix
connect: get local port + ip also when reusing connections
connect: remove superfluous conditional
curl-openssl.m4: check lib64 for the pkg-config file
curl-openssl.m4: show correct output for OpenSSL v3
curl.1: mention "global" flags
curl.1: provide examples for each option
curl: add warning for ignored data after quoted form parameter
curl: add warning for incompatible parameters usage
curl: better error message when -O fails to get a good name
curl: stop retry if Retry-After: is longer than allowed
curl_easy_setopt.3: improve the string copy wording
Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
curl_setup.h: sync values for HTTP_ONLY
curl_url_get.3: clarify about path and query
CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
CURLOPT_SSL_CTX_*.3: tidy up the example
CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
docs/MQTT: update state of username/password support
docs: remove experimental mentions from HSTS and MQTT
docs: the security list is reached at security at curl.se now
easy: use a custom implementation of wcsdup on Windows
examples/*hiperfifo.c: fix calloc arguments to match function proto
examples/cookie_interface: avoid printfing time_t directly
examples/cookie_interface: fix scan-build printf warning
examples/ephiperfifo.c: simplify signal handler
FAQ: add two dev related questions
getparameter: fix the --local-port number parser
happy-eyeballs-timeout-ms.d: polish the wording
hostip: Make Curl_ipv6works function independent of getaddrinfo
http2: Curl_http2_setup needs to init stream data in all invokes
http2: revert a change that broke upgrade to h2c
http2: revert call the handle-closed function correctly on closed stream
http: disallow >3-digit response codes
http: ignore content-length if any transfer-encoding is used
http_proxy: clear 'sending' when the outgoing request is sent
http_proxy: fix the User-Agent inclusion in CONNECT
http_proxy: fix user-agent and custom headers for CONNECT with hyper
http_proxy: only wait for writable socket while sending request
INTERNALS: bump c-ares requirement to 1.16.0
INTERNALS: c-ares has a new home: c-ares.org
lib: don't use strerror()
libcurl-errors.3: clarify two CURLUcode errors
limit-rate.d: clarify base unit
mailing lists: move from cool.haxx.se to lists.haxx.se
mbedtls: avoid using a large buffer on the stack
mbedTLS: initial 3.0.0 support
mbedtls_threadlock: fix unused variable warning
mksymbolsmanpage.pl: Fix showing symbol's last used version
mksymbolsmanpage.pl: match symbols case insenitively
multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
ngtcp2: compile with the latest ngtcp2 and nghttp3
ngtcp2: fix build with ngtcp2 and nghttp3
ngtcp2: remove the acked_crypto_offset struct field init
ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
ngtcp2: reset the oustanding send buffer again when drained
ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
ngtcp2: stop buffering crypto data
ngtcp2: utilize crypto API functions to simplify
openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
openssl: when creating a new context, there cannot be an old one
opt-docs: make sure all man pages have examples
opt-docs: verify man page sections + order
opts docs: unify phrasing in NAME header
output.d: add method to suppress response bodies
page-header: add GOPHERS, simplify wording in the 1st para
progress: fix a compile warning on some systems
progress: make trspeed avoid floats
runtests: add option -u to error on server unexpectedly alive
schannel: Work around typo in classic mingw macro
scripts: invoke interpreters through /usr/bin/env
setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
strerror.h: remove the #include from files not using it
symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
test1138: remove trailing space to make work with hyper
test1173: check references to libcurl options
test1280: CRLFify the response to please hyper
test1565: fix windows build errors
test365: verify response with chunked AND Content-Length headers
tests/*server.pl: flush output before executing subprocess
tests/*server.py: remove pidfile on server termination
tests/runtests.pl: cleanup copy&paste mistakes and unused code
tests/server/*.c: align handling of portfile argument and file
tests: adjust the tftpd output to work with hyper mode
tests: be explicit about using 'python3' instead of 'python'
tests: enable test 1129 for hyper builds
tests: make three tests pass until 2037
tool/tests: fix potential year 2038 issues
tool_operate: Fix --fail-early with parallel transfers
url: fix compiler warning in no-verbose builds
urlapi.c:seturl: assert URL instead of using if-check
vtls: fix typo in schannel_verify.c
winbuild/README.md: clarify GEN_PDB option
wolfssl: clean up wolfcrypt error queue
write-out.d: clarify size_download/upload
x509asn1: fix heap over-read when parsing x509 certificates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.9.4:
Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
Please refer to our blog for details.
Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
Please refer to our blog for details.
Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631).
Loading SSH public keys via vici has been improved (#467).
Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0.
libtpmtss is initialized in all programs and libraries that use it.
Migrated testing scripts to Python 3.
The testing environment uses images based on Debian bullseye by default (support for jessie was removed).
To my understanding, IPFire is not affected by CVE-2021-41990, as we do
not support creation of IPsec connections using RSASSA-PSS (please
correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire
installations indeed.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
after removimg the mark rules this rules are useless because they should skip expensive policy matches
that now are removed.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
latest ipfroute2 update change the output so this repkace it by reading /sys/class/net/*/statistics
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
