These two patches are needed to support SFP's on NXP DPAA2 platforms
(e.g Traverse Ten64).
The deadlock issue patch was submitted upstream a while ago and
rejected, however I am not aware of any better solutions at present.
The 10G mode additions are part of mainline since 5.16.
These two .patches were sourced from our patchset over here:
https://gitlab.com/traversetech/traverse-kernel-patches/-/tree/lts-5-15/patches
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
This change enables support for NXP's QorIQ/Layerscape platforms,
specifically the Traverse Technologies Ten64 (LS1088A).
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.4 plus CVE-2022-29154 patch to 3.2.6
- Patch for CVE-2022-29154 applied in CU170 turned out to have a bug within it causing
rsync to fail with an error. Four additional commits were done to fix this bug and
its consequences but these were all applied in the rsync git repo after the patch had
been merged into CU170.
- Version 3.2.5 onwards contains the CVE-2022-29154 fix and associated commits.
- No update of rootfile required.
- Changelog
NEWS for rsync 3.2.6 (9 Sep 2022)
BUG FIXES:
More path-cleaning improvements in the file-list validation code to avoid
rejecting of valid args.
A file-list validation fix for a --files-from file that ends without a
line-terminating character.
Added a safety check that prevents the sender from removing destination
files when a local copy using --remove-source-files has some files that are
shared between the sending & receiving hierarchies, including the case
where the source dir & destination dir are identical.
Fixed a bug in the internal MD4 checksum code that could cause the digest to
be sporadically incorrect (the openssl version was/is fine).
A minor tweak to rrsync added "copy-devices" to the list of known args, but
left it disabled by default.
ENHANCEMENTS:
Rename --protect-args to --secluded-args to make it clearer how it differs
from the default backslash-escaped arg-protecting behavior of rsync. The
old option names are still accepted. The environment-variable override did
not change its name.
PACKAGING RELATED:
The configure option --with-protected-args was renamed to
--with-secluded-args. This option makes --secluded-args the default rsync
behavior instead of using backslash escaping for protecting args.
The mkgitver script now makes sure that a .git dir/file is in the top-level
source dir before calling git describe. It also runs a basic check on the
version value. This should avoid using an unrelated git description for
rsync's version.
DEVELOPER RELATED:
The configure script no longer sets the -pedantic-errors CFLAG (which it
used to try to do only for gcc).
The name_num_obj struct was modified to allow its dynamic name_num_item list
to be initialized in a better way.
NEWS for rsync 3.2.5 (14 Aug 2022)
SECURITY FIXES:
Added some file-list safety checking that helps to ensure that a rogue
sending rsync can't add unrequested top-level names and/or include
recursive names that should have been excluded by the sender. These extra
safety checks only require the receiver rsync to be updated. When dealing
with an untrusted sending host, it is safest to copy into a dedicated
destination directory for the remote content (i.e. don't copy into a
destination directory that contains files that aren't from the remote host
unless you trust the remote host). Fixes CVE-2022-29154.
A fix for CVE-2022-37434 in the bundled zlib (buffer overflow issue).
BUG FIXES:
Fixed the handling of filenames specified with backslash-quoted wildcards
when the default remote-arg-escaping is enabled.
Fixed the configure check for signed char that was causing a host that
defaults to unsigned characters to generate bogus rolling checksums. This
made rsync send mostly literal data for a copy instead of finding matching
data in the receiver's basis file (for a file that contains high-bit
characters).
Lots of manpage improvements, including an attempt to better describe how
include/exclude filters work.
If rsync is compiled with an xxhash 0.8 library and then moved to a system
with a dynamically linked xxhash 0.7 library, we now detect this and
disable the XX3 hashes (since these routines didn't stabilize until 0.8).
ENHANCEMENTS:
The --trust-sender option was added as a way to bypass the extra file-list
safety checking (should that be required).
PACKAGING RELATED:
A note to those wanting to patch older rsync versions: the changes in this
release requires the quoted argument change from 3.2.4. Then, you'll want
every single code change from 3.2.5 since there is no fluff in this release.
The build date that goes into the manpages is now based on the developer's
release date, not on the build's local-timezone interpretation of the date.
DEVELOPER RELATED:
Configure now defaults GETGROUPS_T to gid_t when cross compiling.
Configure now looks for the bsd/string.h include file in order to fix the
build on a host that has strlcpy() in the main libc but not defined in the
main string.h file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Since last time we checked, the kernel's security features on ARM have
improved notably (see CONFIG_RANDOMIZE_BASE discussion). This patch
therefore proposes to give the seccomp filter on both 32- and 64-bit ARM
another try, since it provides significant security benefit to
applications using it.
Due to operational constraints, rootfile changes have been omitted, and
will be conducted, should this patch be approved.
Note to future self: Once this patch is approved, applications using
seccomp (OpenSSH, Tor) need to be updated/shipped on ARM.
Fixes: #12366Fixes: #12370
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
From the kernels' documentation:
> Uprobes is the user-space counterpart to kprobes: they
> enable instrumentation applications (such as 'perf probe')
> to establish unintrusive probes in user-space binaries and
> libraries, by executing handler functions when the probes
> are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints,
> managed by the kernel and kept transparent to the probed
> application. )
To the best of the authors' understanding, no application on IPFire
needs this functionality, and given its abuse potential, we should
probably not enable it.
As expected, strace functionality is not impaired by this.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Changelog:
"6.0.8 -- 2022-09-27
Task #5552: libhtp 0.5.41
6.0.7 -- 2022-09-27
Security #5430: mqtt: DOS by quadratic with too many transactions in one parse (6.0.x backport)
Bug #5559: BUG_ON triggered from TmThreadsInjectFlowById (6.0.x backport)
Bug #5549: Failed assert DeStateSearchState (6.0.x)
Bug #5548: tcp: assertion failed in DoInsertSegment (BUG_ON) (6.0.x)
Bug #5547: rules: less strict parsing of unexpected flowbit options
Bug #5546: rules: don't error on bad hex in content
Bug #5540: detect: transform strip whitespace creates a 0-sized variable-length array: backport6
Bug #5505: http2: slow http2_frames_get_header_value_vec because of allocation [backport6]
Bug #5471: Reject action is no longer working (6.0.x backport)
Bug #5467: rules: more graceful handling of anomalies for stable versions
Bug #5459: Counters are not initialized in all places. (6.0.x backport)
Bug #5448: nfs: add maximum number of operations per compound (6.0.x backport)
Bug #5436: Infinite loop if the sniffing interface temporarily goes down (6.0.x backports)
Bug #5335: flow: vlan.use-for-tracking is not used for ICMPv4 (6.0.x backport)
Bug #4421: flow manager: using too much CPU during idle (6.0.x backport)
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)
Task #5551: doc: add exception policy documentation (6.0.x)
Task #5533: detect/parse: add tests for parsing signatures with reject and drop action (6.0.x backport)
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)
Task #5381: add `alert-queue-expand-fails` command-line option (6.0.x backport)
Task #5328: python: distutils deprecation warning (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Since these files are static, there is no legitimate reason why they
should be owned (hence writable) by "nobody". Also, according to
configroot's LFS file, this is the intended behaviour for the *.user
files, which is then overwritten by the backup LFS file. Therefore, set
the file mode of these statically - configroot does not feature other
files in /var/ipfire/backup/ anyway.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.4.8 to 2.4.9
- Update of rootfile
- Changelog
Release 2.4.9 Tue September 20 2022
Security fixes:
#629#640 CVE-2022-40674 -- Heap use-after-free vulnerability in
function doContent. Expected impact is denial of service
or potentially arbitrary code execution.
Bug fixes:
#634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
#614 docs: Fix documentation on effect of switch XML_DTD on
symbol visibility in doc/reference.html
Other changes:
#638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
#596#625 Autotools: Sync CMake templates with CMake 3.22
#608 CMake: Migrate from use of CMAKE_*_POSTFIX to
dedicated variables EXPAT_*_POSTFIX to stop affecting
other projects
#597#599 Windows|CMake: Add missing -DXML_STATIC to test runners
and fuzzers
#512#621 Windows|CMake: Render .def file from a template to fix
linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
#611#621 MinGW|CMake: Apply MSVC .def file when linking
#622#624 MinGW|CMake: Sync library name with GNU Autotools,
i.e. produce libexpat-1.dll rather than libexpat.dll
by default. Filename libexpat.dll.a is unaffected.
#632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
toolchain file "cmake/mingw-toolchain.cmake" to avoid
error "windres: Command not found" on e.g. Ubuntu 20.04
#597#627 CMake: Unify inconsistent use of set() and option() in
context of public build time options to take need for
set(.. FORCE) in projects using Expat by means of
add_subdirectory(..) off Expat's users' shoulders
#626#641 Stop exporting API symbols when building a static library
#644 Resolve use of deprecated "fgrep" by "grep -F"
#620 CMake: Make documentation on variables a bit more consistent
#636 CMake: Drop leading whitespace from a #cmakedefine line in
file expat_config.h.cmake
#594 xmlwf: Fix harmless variable mix-up in function nsattcmp
#592#593#610 Address Cppcheck warnings
#643 Address Clang 15 compiler warnings
#642#644 Version info bumped from 9:8:8 to 9:9:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#597#598 CI: Windows: Start covering MSVC 2022
#619 CI: macOS: Migrate off deprecated macOS 10.15
#632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work
#643 CI: Upgrade Clang from 14 to 15
#637 apply-clang-format.sh: Add support for BSD find
#633 coverage.sh: Exclude MinGW headers
#635 coverage.sh: Fix name collision for -funsigned-char
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33
"Security Fixes
Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of named running as a recursive
resolver. This has been fixed. (CVE-2022-2795)
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
this vulnerability to our attention. [GL #3394]
named running as a resolver with the stale-answer-client-timeout option
set to 0 could crash with an assertion failure, when there was a stale
CNAME in the cache for the incoming query. This has been fixed.
(CVE-2022-3080) [GL #3517]
A memory leak was fixed that could be externally triggered in the
DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL
#3487]
Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL
#3487]
Feature Changes
Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same name, to
prevent circumventing the limits enforced by RRL. [GL #3459]
Zones using dnssec-policy now require dynamic DNS or inline-signing to
be configured explicitly. [GL #3381]
A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in dig and converting the domain
to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL
#3485]
Bug Fixes
A serve-stale bug was fixed, where BIND would try to return stale data
from cache for lookups that received duplicate queries or queries that
would be dropped. This bug resulted in premature SERVFAIL responses,
and has now been resolved. [GL #2982]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Network (other) help link was set to go to Network (internal) wiki page
Link modified
- Running the check_manualpages.pl script requires it to be executable so the build
changed the permissions mode from 644 to 755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
- Created (mostly) for old openvpn graphs
- RRD removed when no graph modification for +365 days
- chosen since graph max out is 365 days
- fcron job runs once per week
- chosen since this is just a cleanup and it doesnt need to run everyday
Note: logging can be added if needed.
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- cpufrequtils is a set of "tools" to manage and set cpu freq settings.
- There is an initscript but this is only loading the cpu dependent kernel modules that
are required by cpufrequtils.
- Therefore cpufrequtils is not a service but a set of tools that are used when required.
- SERVICES line made blank so that this addon does not show up in the services addon table.
- Modified install initscript line to not use SERVICES variable
Fixes: Bug#12933
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
For details see:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-September/007885.html
"This release fixes CVE-2022-3204 Non-Responsive Delegation
Attack. It was reported by Yehuda Afek from Tel-Aviv
University and Anat Bremler-Barr and Shani Stajnrod from
Reichman University.
This fixes for better performance when under load, by cutting
promiscuous queries for nameserver discovery and limiting the
number of times a delegation point can look in the cache for
missing records.
Bug Fixes
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
According to the kernel's documentation,
> debugfs is a virtual file system that kernel developers use to put
> debugging files into. Enable this option to be able to read and
> write to these files.
There is no legitimate reason why one has to do so on an IPFire machine.
Further, the vast debugging options (i.e. related to various drivers)
have never been enabled, limiting the use of this virtual file system
even further.
This patch therefore proposes to disable it entirely, since its
potential security impact outweights its benefits. Due to operational
constraints, changes to ARM kernel configurations will be made if this
patch is approved for x86_64.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
