- Looking through some of the changelog and some mail list communications it looks like
qemu decided they did noty want to maintain their own bundled version of libslirp when
the majority of OS's had their own version now in place. Ubuntu 18.04 did not have
libslirp but qemu stopped supporting that version from qemu-7.1
- So it looks like all OS's have a standard libslirp available now and qemu have taken
the decision to no longer have their own version but to use the system version. That
was always possible to do if use of the system version was explicitly defined but
the default was to use the bundled version.
- No evidence that libslirp is deprecated.
- The last version of libslirp was released a year ago but it looks like every month or
so there are a couple of commits merged. The last was a month ago.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.0.3 to 8.1.1
- In CU179 the update of qemu caused at least one user to have a problem starting his
qemu system as the qemu bundled slirp library used for the net user backend was removed
in version 7.2. Unfortunately no user tested qemu in the CU179 Testing phase, or if they
did they are not using the net user backend.
- This patch adds the --enable-slirp option to configure and installs libslirp in a
separate patch.
- I can't test if this now works as I don't use qemu anywhere.
- Changelog is too large to include here.
8.1
https://wiki.qemu.org/ChangeLog/8.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.28.1 to 2.28.3
- Update of rootfile
- Changelog
2.28.3
This is a stable bugfix release, with the following changes:
Added a gamepad mapping for the G-Shark GS-GP702
Fixed touchpad events for the Razer Wolverine V2 Pro in PS5 mode
Fixed getting key events from TV remotes on Android
Updated to Android minSdkVersion 19 and targetSdkVersion 34 to meet Google
Play Store requirements
2.28.2
This is a stable bugfix release, with the following changes:
Fixed occasionally failing to open the clipboard on Windows
Fixed crash at shutdown when using the D3D11 renderer
Fixed setting the viewport when using the D3D12 renderer
Fixed crash using SDL event functions before initializing SDL on Windows
Fixed Xbox controller trigger motion events on Windows
Fixed Xbox controller rumble in the background on Windows
Added the hint SDL_HINT_JOYSTICK_WGI to control whether to use
Windows.Gaming.Input for controllers
Fixed 8BitDo gamepad mapping when in XInput mode on Linux
Fixed controller lockup initializing some unofficial PS4 replica controllers
Fixed video initialization on headless Linux systems using VNC
Fixed large mouse jump when changing relative mouse mode on macOS
Fixed hardware keyboard text input on iPadOS
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.18.5 to 2.19.0
- Update of rootfile for x86_64
- Changelog is too large to include here
4.19.0
See the WHATSNEW.txt file in the soiurce tarball
4.18.6
* BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
pointer.
* BUG 15430: Missing return in reply_exit_done().
* BUG 15289: post-exec password redaction for samba-tool is more reliable for
fully random passwords as it no longer uses regular expressions
containing the password value itself.
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
* BUG 15342: Spotlight sometimes returns no results on latest macOS.
* BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously
attempted to remove the destination.
* BUG 15427: Spotlight results return wrong date in result list.
* BUG 15414: "net offlinejoin provision" does not work as non-root user.
* BUG 15400: rpcserver no longer accepts double backslash in dfs pathname.
* BUG 15433: cm_prepare_connection() calls close(fd) for the second time.
* BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
bad message_id 2.
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
* BUG 15390: Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation).
* BUG 15435: Regression DFS not working with widelinks = true.
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 9.6.7 to 11.0.6
- Update of rootfile
- Ran find-dependencies for the sobump. All libraries are only linked into bacula
- All of the versions from 9.6.7 to 11.0.6 and up to 13.0.3 have no bug fixes relatred to
the bacula-fd daemon. With bacula-fd running on a separate machine to the bacula-dir and
bacula-sd daemons, older versions of bacula-fd will work with no bug issues with a newer
bacula-dir and bacula-sd.
- If we put a very new version of bacula-fd on IPFire then it will not work with older
versions of bacula-dir and bacula-sd.
- A new feature in the bacula 11 series is that communication between daemons will
automatically use TLS if OpenSSL is installed on the machines running bacula.
Therefore having a bacula 11 based bacula-fd on IPFire will automatically, with no user
configuration required, use TLS for communication to the IPFire bacula-fd from the other
bacula daemons on other machines.
- This has been shown to automatically work between the bacula-fd daemons on my laptop and
desktop machines and the bacula-dir/bacula-sd on my server machine.
Currently communication between mu bacula-dir/bacuila-sd daemons and the IPFire bacula-fd
daemon communication is still unencrypted.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- In the services WUI page any addon that has a WUI menu page defined, such as Samba,
Guardian etc, has the addon name shown in underlined red which is a link to the addon
cgi page. This works for the other addons as the addon cgi name is the same as the
addon name. I have identified that this is not the case for apcupsd, because the cgi
page is called upsstats.cgi
- This patch adjusts the cgi name to allow apcupsd to also be shown in underlined red.
- The lfs file copies the upsstats.cgi file to one named apcupsd.cgi
- The apcupsd menu file has the cgi name changed from upsstats.cgi to apcupsd.cgi
- The rootfile is updated to also include the apcupsd.cgi file with the others.
- Tested in my vm testbed by making the above changes in the code and the apcupsd addon
was then shown in underlined red, which acted as a link to the apcupsd status WUI page.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This is v2 version of this patch with the locations for the sysconf and binaries
corrected so that all files are in the same locations as they were with version 2.3.15
Added sysconfdir and bindir to the configure options to achieve this.
- Update from version 2.3.15 (2012) to 2.3.15.4 (2018)
- Update of rootfile.
- The original site for xinetd is no longer accessible.
- Version 2.3.15 was the last version from https://github.com/xinetd-org/xinetd
OpenSUSE have forked the repo and have provided 2.3.15.3 and 2.3.15.4 to collect a range
of patches together from openSUSE, Debian, Fedora, Gentoo etc.
Last bug fix was done on this github repo in Sep 2022 and the last commit in Oct 2022.
- This is as up to date as there is currently available.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.6.3 to 4.0.8 covering 22 releases.
- Update of rootfile
- Ran find-dependencies due to sobump. Everything is linked to tshark files. No additional
bumping required.
- Changelog is too large to cover with 22 releases. For details see the release notes
page on the website - https://www.wireshark.org/docs/relnotes/
4.0.8 Four vulnerabilities fixed.
4.0.7 Two vulnerabilities fixed.
4.0.6 Nine vulnerabilities fixed.
4.0.5 Three vulnerabilities fixed.
4.0.4 One vulnerability fixed.
4.0.3 Seven vulnerabilities fixed.
Didn't check anymore. Based on above this package definitely needs to be regulalrly
updated as it is obviolusly susceptible to vulnerabilities.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update foomatic-db-engine from version 4.0.9 (2013) to 4.0.13 (2018)
- Update foomatic-db from version 20131023 to 20230828
- Update of rootfile
- Changelog
foomatic-db
See the ChangeLog file in the foomatic-db source tarball. Too long to include here.
foomatic-db-engine
4.0.13.
* README, USAGE, configure.ac: Updated for release 4.0.13.
* Makefile.in: Add support for LDFLAGS variable (bug #1422).
* configure.ac: Allow user-configurable PERLPREFIX via environment
variable (Bug #1294).
4.0.12.
* README, USAGE, configure.ac: Updated for release 4.0.12.
* foomatic-ppdfile.in: Foomatic doesn't provide some offered PPD
files. Thanks to Marek Kasik for the patch (bug #1238).
* foomatic-ppd-to-xml.in: Let missing XML files be added when to a
PPD with already existing XML files new "*Product:" lines get
added.
4.0.11.
* README, USAGE, configure.ac: Updated for release 4.0.11.
* lib/Foomatic/DB.pm: Do not interpret option default values set to
"0" in PPD files as no default setting defined. Thanks to Deng
Pang from Ricoh (DengPang at rst dot ricoh dot com) for the report.
4.0.10.
* README, USAGE, configure.ac: Updated for release 4.0.10.
* foomatic-addpjloptions.in: Make foomatic-addpjloptions work with
the system's Foomatic database, too.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
http://midnight-commander.org/wiki/NEWS-4.8.30
Summary:
"Major changes since 4.8.29
Core
Support PCRE2 as search engine (via --with-search-engine=pcre2) (#4450)
Implement panelization buffers for both file panels (#4370)
VFS
tar: support extended headers (including long file names and sparse files) (#1952, #2201)
extfs helpers: replace "perl -w" with "use warnings" (MidnightCommander?/mc#174)
extfs/patchfs: be more specific in error message (#4485)
Editor
Add syntax highlighting:
Jenkinsfiles (#4469)
B language (#4470)
Improve syntax highlighting:
ECMAScript (MidnightCommander?/mc#172)
ECMAScript in TypeScript? (MidnightCommander?/mc#172)
use diff syntax highlighting for git commit messages (COMMIT_EDITMSG) (MidnightCommander?/mc#85)
Misc
Code cleanup (#4426, #4438)
Filehighlight:
recognize vsix files as zip files (MidnightCommander?/mc#171)
Skin updates:
julia256 (#4441, #4445)
Fixes
Usage of 'sed' in build system/makefiles is not portable (#4459, #4466)
Unportable '$<' in Makefiles (#4460)
FTBFS if ncurses used without --with-ncurses-includes= configure parameter (#4462)
Ncurses library is duplicated in MCLIBS (#4463, #4465)
FTBFS without ext2fs attributes support (#4464)
Wrong sort order after swapping panels (#4432)
Incorrect time delimiter in the copy/move progress window (#4437)
Incorrect redraw of overlapped file panels (#4408)
Subshell/Command? line prompt is empty/missing (#3121)
Find file: relative ignore directory is applied to the start search directory (#4235)
Diff viewer: options are not applied on second run (#4486)
mc.ext.ini: 'Edit' command from 'Default' section is ignored (#4434)
mc.ext.ini: .md files are not recognized as Markdown ones by extension (#4444)
mcedit: off-by-one error in paragraph formatting (#4446)
ftp: incomplete file listing: block and character devices, pipes, sockets are missed (#4472)
Various typos in the source code (MidnightCommander?/mc#177, MidnightCommander?/mc#178)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 9.1.0 to 10.0.0
- Update of rootfile
- sobump so ran ./make find dependencies. This highlighted mpd but that needs to be
updated anyway as the existing version does not build with fmt-10.0.0
- Changelog is too large to include here. See the file ChangeLog.rst in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- sox was used for asterix but that addon was removed in Core Update 158 so sox is no
longer needed.
- remove the lfs and rootfile files and remove sox from the make.sh script
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.64.0 to 2.107.0
- Update of rootfile
- Changelog is too large to include here. For details look at the CHANGELOG.rst file in
the source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.7.3 to 3.29.4
- Update of rootfile
- Changelog is too large to include here. For details of the changes see the CHANGELOG.rst
file in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 7.92 to 7.94
- Update of rootfile
- Changelog
7.94 [2023-05-19]
o Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made
this effort possible:
+ [GH#2088][GH#1176][Zenmap] Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík]
+ [GH#1807][GH#1176][Ndiff] Updated Ndiff to Python 3. [Brian Quigley]
+ Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanks
to those who opened Python 3-related issues and pull requests: Eli
Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa,
Hasan Aliyev, and others.
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.71 to the latest version 1.75. It
includes dozens of performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M
(28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MAC
prefix used previously for lookups.
o Added partial silent-install support to the Nmap Windows
installer. It previously didn't offer silent mode (/S) because the
free/demo version of Npcap Windoes packet capturing driver that it
needs and ships with doesn't include a silent installer. Now with
the /S option, Nmap checks whether Npcap is already installed
(either the free version or OEM) and will silently install itself if
so. This is similar to how the Wireshark installer works and is
particularly helpful for organizations that want to fully automate
their Nmap (and Npcap) deployments. See
https://nmap.org/nmap-silent-install for more details.
o Lots of profile-guided memory and processing improvements for Nmap, including
OS fingerprint matching, probe matching and retransmission lookups for large
hostgroups, and service name lookups. Overhauled Nmap's string interning and
several other startup-related procedures to speed up start times, especially
for scans using OS detection. [Daniel Miller]
o Integrated many of the most-submitted IPv4 OS fingerprints for recent
versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints,
bringing the new total to 5700!
o [NSE][GH#548] Added the tftp-version script which requests a
nonexistent file from a TFTP server and matches the error message
to a database of known software. [Mak Kolybabi]
o [Ncat][GH#1223] Ncat can now accept "connections" from multiple UDP hosts in
listen mode with the --keep-open option. This also enables --broker and
--chat via UDP. [Daniel Miller]
o [GH#2575] Upgraded OpenSSL binaries (for the Windows builds and for
RPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602;
CVE-2022-3786) which don't impact Nmap proper since it doesn't do
certificate validation, but could possibly impact Ncat when the
--ssl-verify option is used.
o Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4
o [GH#2532] Removed the bogus OpenSSL message from the Windows Nmap
executable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSL
legacy provider failed to load." We actually already have the legacy
provider built-in to our OpenSSL builds, and that's why loading the
external one fails.
o [GH#2541] UDP port scan (-sU) and version scan (-sV) now both use the same
data source, nmap-service-probes, for data payloads. Previously, the
nmap-payloads file was used for port scan. Port scan responses will be used
to kick-start the version matching process. [Daniel Miller]
o Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel,
the same as it already does for TCP services with SSL/TLS encryption. The
DTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sent
sooner in the scan. [Daniel Miller]
o [Ncat] Ncat in listen mode with --udp --ssl will use DTLS to secure incoming
connections. [Daniel Miller]
o [GH#1023] Handle Internationalized Domain Names (IDN) like Яндекс.рф on
platforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller]
o [Ncat] Addressed an issue from the Debian bug tracker
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding data
received immediately after a SOCKS CONNECT response. Ncat can now be
correctly used in the ProxyCommand option of OpenSSH.
o Improved DNS domain name parsing to avoid recursion and enforce name length
limits, avoiding a theoretical stack overflow issue with certain crafted DNS
server responses, reported by Philippe Antoine.
o [GH#2338][NSE] Fix mpint packing in ssh2 library, which was causing OpenSSH
errors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone]
o [GH#2507] Updates to the Japanese manpage translation by Taichi Kotake.
o [Ncat][GH#1026][GH#2426] Dramatically speed up Ncat transfers on
Windows by avoiding a 125ms wait for every read from
STDIN. [scriptjunkie]
o [GH#1192][Windows] Periodically reset the system idle timer to keep the
system from going to sleep while scans are in process. This only affects port
scans and OS detection scans, since NSE and version scan do not rely on
timing data to adjust speed.
o Updated the Nmap Public Source License (NPSL) to Version 0.95. This
just clarifies that the derivative works definition and all other
license clauses only apply to parties who choose to accept the
license in return for the special rights granted (such as Nmap
redistribution rights). If a party can do everything they need to
using copyright provisions outside of this license such as fair use,
we support that and aren't trying to claim any control over their
work. Versions of Nmap released under previous versions of the NPSL
may also be used under the NPSL 0.95 terms.
o Avoid storing many small strings from IPv4 OS detection results in the global
string_pool. These were effectively leaked after a host is done being
scanned, since string_pool allocations are not freed until Nmap quits.
7.93 [2022-09-01]
o This release commemorates Nmap's 25th anniversary! It all started with this
September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html.
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.50 to the latest version 1.71. It
includes dozens of performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions.
Binaries for this release include OpenSSL 3.0.5.
o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1
o [GH#2416] Fix a bug that prevented Nmap from discovering interfaces on Linux
when no IPv4 addresses were configured. [Daniel Miller, nnposter]
o [NSE][GH#2463] NSE "exception handling" with nmap.new_try() will no longer
result in a stack traceback in debug output nor a "ERROR: script execution
failed" message in script output, since the intended behavior has always been
to end the script immediately without output. [Daniel Miller]
o [GH#2494] Update the Nmap output DTD to match actual output since the
`<hosthint>` element was added in Nmap 7.90.
o [NSE][GH#2496] Fix newtargets support: since Nmap 7.92, scripts could not add
targets in script pre-scanning phase. [Daniel Miller]
o [GH#2468] Scripts dhcp-discover and broadcast-dhcp-discover now support
setting a client identifier. [nnposter]
o [GH#2331][GH#2471] Script oracle-tns-version was not reporting the version
correctly for Oracle 19c or newer [linholmes]
o [GH#2296][GH#2342] Script redis-info was crashing or producing inaccurate
information about client connections and/or cluster nodes. [nnposter]
o [GH#2379] Nmap and Nping were unable to obtain system routes on FreeBSD
[benpratt, nnposter]
o [GH#2464] Script ipidseq was broken due to calling an unreachable library
function. [nnposter]
o [GH#2420][GH#2436] Support for EC crypto was not properly enabled if Nmap
was compiled with OpenSSL in a custom location. [nnposter]
o [NSE] Improvements to event handling and pcap socket garbage collection,
fixing potential hangs and crashes. [Daniel Miller]
o We ceased creating the Nmap win32 binary zipfile. It was useful back when
you could just unzip it and run Nmap from there, but that hasn't worked well
for many years. The win32 self-installer handles Npcap installation and many
other dependencies and complexities. Anyone who needs the binaries for some
reason can still install Nmap on any system and retrieve them from there.
For now we're keeping the Win32 zipfile in the Nmap OEM Edition
(https://nmap.org/oem) for companies building Nmap into their own
products. But even in that case we believe that running the Nmap OEM
self-installer in silent mode is a better approach.
o [GH#2388] Fix TDS7 password encoding for mssql.lua, which had been assuming
ASCII input even though other parts of the library had been passing it Unicode.
o [GH#2402] Replace deprecated CPEs for IIS with their updated identifier,
cpe:/a:microsoft:internet_information_services [Esa Jokinen]
o [NSE][GH#2393] Fix script-terminating error when unknown BSON data types are
encountered. Added parsers for most standard data types. [Daniel Miller]
o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1
strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
o [Ncat][GH#2365] Added support for SOCKS5 proxies that return bind addresses
as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.22.6 to 3.23.5
- Update of rootfile
- Changelog
3.23.5 - This release has the following changes:
Added support for the following new Printers:
HP Color LaserJet Enterprise 6700dn
HP Color LaserJet Enterprise 6700
HP Color LaserJet Enterprise 6701dn
HP Color LaserJet Enterprise 6701
HP Color LaserJet Enterprise X654dn
HP Color LaserJet Enterprise X65455dn
HP Color LaserJet Enterprise X654
HP Color LaserJet Enterprise X65465dn
HP Color LaserJet Enterprise X654 65 PPM
HP Color LaserJet Enterprise X654 55 to 65ppm License
HP Color LaserJet Enterprise X654 Down License
HP Color LaserJet Enterprise MFP 6800dn
HP Color LaserJet Enterprise Flow MFP 6800zf
HP Color LaserJet Enterprise Flow MFP 6800zfsw
HP Color LaserJet Enterprise Flow MFP 6800zfw+
HP Color LaserJet Enterprise MFP 6800
HP Color LaserJet Enterprise MFP 6801
HP Color LaserJet Enterprise MFP 6801 zfsw
HP Color LaserJet Enterprise Flow MFP 6801zfw+
HP Color LaserJet Enterprise MFP X677 55 to 65ppm License
HP Color LaserJet Enterprise MFP X677 65ppm
HP Color LaserJet Enterprise MFP X677s
HP Color LaserJet Enterprise Flow MFP X677z
HP Color LaserJet Enterprise MFP X67765dn
HP Color LaserJet Enterprise Flow MFP X67765zs
HP Color LaserJet Enterprise Flow MFP X67765z+
HP Color LaserJet Enterprise MFP X677
HP Color LaserJet Enterprise MFP X67755dn
HP Color LaserJet Enterprise Flow MFP X67755zs
HP Color LaserJet Enterprise Flow MFP X67755z+
HP Color LaserJet Enterprise MFP X677dn
HP Color LaserJet Enterprise Flow MFP X677zs
HP Color LaserJet Enterprise Flow MFP X677z+
HP Color LaserJet Enterprise 5700dn
HP Color LaserJet Enterprise 5700
HP Color LaserJet Enterprise X55745dn
HP Color LaserJet Enterprise X55745
HP Color LaserJet Enterprise MFP 5800dn
HP Color LaserJet Enterprise MFP 5800f
HP Color LaserJet Enterprise Flow MFP 5800zf
HP Color LaserJet Enterprise MFP 5800
HP Color LaserJet Enterprise MFP X57945
HP Color LaserJet Enterprise Flow MFP X57945zs
HP Color LaserJet Enterprise MFP X57945dn
HP Color LaserJet Enterprise Flow MFP X57945z
3.23.3 - This release has the following changes:
Added support for following new Distro's:
LinuxMint 21.1
MxLinux 21.3
Elementary OS 7
Ubuntu 22.10
RHEL 8.6
RHEL 8.7
RHEL 9.1
Fedora 37
Added support for the following new Printers:
HP Smart Tank 520_540 series
HP Smart Tank 580-590 series
HP Smart Tank 5100 series
HP Smart Tank 210-220 series
3.22.10 - This release has the following changes:
Added support for following new Distro's:
Manjaro 21.3
Suse 15.4
RHEL 9
Linux Mint 21.0
Mx Linux 21.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.38.1 to 2.41.0
- Update of rootfile
- Changelog is too large to show here. Look in the Source tarball in Documentation
RelNotes and each of the version numbers released - 2.38.2, 2.38.3, 2.38.4, 2.38.5,
2.39.0, 2.39.1, 2.39.2, 2.39.3, 2.40.0, 2.40.1, 2.41.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.0.1 to 8.5.2
- Update of rootfile
- tar.xz versions are no longer provided by the developers. They onl provide the tar.gz
that is automatically created by github. This started shortly after 8.0.1 was released
- Changelog is too large to include here. For full details see the changelog details at
https://github.com/FRRouting/frr/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.0.26 to 3.2.3
- Update of rootfile
- Changelog
3.2.3
Feature Improvements
Add "max_retries" for connection pools. Fixes#4908. Patch from Nick Porter.
Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
dictionary.wispr; add dictionary.eleven.
You can now list "eap" in the "pre-proxy" section. If the packet contains a
malformed EAP message, then the request will be rejected The home server
will either reject (or discard) this packet anyways, so this change can only
help with large proxy scenarios.
Show warnings if libldap is not using OpenSSL.
Support RADIUS/1.1. See
https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by
default, can be enabled by passing `--with-radiusv11` to the configure
script. For now, this is for testing interoperability.
Add extra sanity checks for malformed EAP attributes.
More TLS debugging output.
Clear old module instance data before HUP reload. Avoids burst memory use
when e.g. using large data files with rlm_files. Patch from Nick Porter.
`rlm_cache_redis` is now included in the freeradius-redis packages.
Separate out python2/python3 in Debian Packages. Previously python 2 or 3 was
built depending on the system default which led to confusion. We now build
both freeradius-python2 and freeradius-python3 packages where possible.
Bug Fixes
Don't leak MD contexts with OpenSSL 3.0.
Increase internal buffer size for TLS connections, which can help with
high-load proxies.
Send Status-Server checks for TLS connections.
Give descriptive error if "update CoA" is used with "fake" packets, as it
won't work. i.e. inner-tunnel and virtual home servers.
Many small ASAN / LSAN fixes from Jorge Pereira.
Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS
error, it will now close the socket, so proxies do not have an open (but
dead) TLS connection.
Fix mutex locking issues on inbound RADIUS/TLS connections This change avoids
random issues with "bad record mac".
Improve REST encoding loop. Patch from Herwin Weststrate. Closes#4950.
Correctly report the LDAP group a user was found in. Fixes#3084 Patch from
Nick Porter.
Force correct packet type when running Post-Auth-Type. Helps with #4980.
Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996.
Fix TCP socket statistics. Closes#4990.
Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps
with #5010.
3.2.2
Feature Improvements
The "configure" process now gives a much clearer report when it's finished.
Patches by Matthew Newton.
Fallback to "uname -n" on missing "hostname". Fixes#4771.
Export thread details in radmin "stats threads". Fixes#4770.
Improve queries for processing radacct into periodic usage data Fix from Nick
Porter.
Update dictionary.juniper.
Add dictionary.calix.
Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets".
Update documentation for robust-proxy-accounting, and be more aggressive
about sending packets.
Add per-module README.md files in the source.
Add default Visual Studio configuration for developers.
Postgres can now automatically use alternate queries for errors other than
duplicate keys.
%{listen:TLS-PSK-Identity} is now set when using PSK and psk_query This helps
the server track the identity of the client which is connecting.
Include thread stats in Status-Server attributes. Fixes#4870.
Mark rlm_unbound stable and add to packages. Patches by Nick Porter.
Remove broken/unsupported Dockerfiles for centos8 and debian9.
Ensure Docker containers have stable uid/gid. Patches from Terry Burton.
Bug Fixes
Preliminary support for non-blocking TLS sockets. Helps with #3501.
Fix support for partial certificate chains after adding reload support.
Fixes#4753.
Fix handling of debug_condition.
Clean up home server states, and re-sync with the dictionaries.
Correct certificate order when creating TLS-* attributes Fixes#4785.
Update use of isalpha() etc. so broken configurations have less impact on the
server.
Outgoing TLS sockets now set SNI correctly from the "hostname" configuration
item.
Support Apple Homebrew on the M1. Fixes#4754.
Better error messages when %{listen:TLS-...} is used.
Getting statistics via Status-Server can now be done within a virtual server.
Fixes#4868.
Make TTLS+MS-CHAP work with TLS 1.3. Fixes#4878.
Fix md5 xlat memory leak when using OpenSSL 3. Fix by Terry Burton.
3.2.1
Feature Improvements
Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries,.
Add simultaneous-use queries for MS SQL.
Add radmin command for "stats pool <module-name>" Which prints out statistics
about the connection pools.
Client statistics now shows "conflicts", to count conflicting packets.
New optional "lightweight accounting-on/off" strategy. When refreshing
queries.conf you should also add the new nasreload table and corresponding
GRANTs to your DB schema.
Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with Eduroam.
Suggested by Stefan Winter.
Allow auth+acct for TCP sockets, too.
Add rlm_cache_redis. See raddb/mods-available/cache for details.
Allow radmin to look up home servers by name, too.
Ensure that dynamic clients don't create loops on duplicates Reported by Sam
Yee.
Removed rlm_sqlhpwippool. There was no documentation, no configuration, and
the module was ~15 years old with no one using it.
Marked rlm_python3 as stable.
Add sigalgs_list. See raddb/mods-available/eap. Patch from Boris Lytochkin.
For rlm_linelog, when opening files in /dev, look at "permissions" to see
whether to open them r/w.
More flexibility for dynamic home servers. See
doc/configuration/dynamic_home_servers.md and raddb/home_servers/README.md.
Allow setting of application_name for PostgreSQL. See mods-available/sql.
Bug Fixes
Correct test for open sessions in radacct for MS SQL.
The linelog module now opens /dev/stdout in "write-only" mode if the
permissions are set to "u+w" (0002).
Various fixes to rlm_unbound from Nick Porter.
PEAP now correctly runs Post-Auth-Type Accept.
Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-*
Fixes#4698. See sites-available/tls, and fix_cert_order.
Minor updates and fixes to CI, Dockerfiles and packaging.
Fix rlm_python3 build with python >= 3.10. Fixes#4441.
3.2.0
Feature Improvements
All features from 3.0.x are included in the 3.2.x releases. In addition:.
Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which day
of the month the counter should be reset.
Partial backport of rlm_json from v4, providing the json_encode xlat See
mods-available/json for documentation.
Support for haproxy "PROXY" protocol See sites-available/tls,
"proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/.
Support for sending CoA-Request and Disconnect-Request packets in "reverse"
down RadSec tunnels. Experimental for now, and undocumented.
It is now possible to run a virtual server when saving / loading TLS cache
attributes. See sites-available/tls-cache for more information.
Removed the "cram" module. It was undocumented, and used old and insecure
authentication methods.
Remove the "otp" module. The "otpd" program it needs is no longer available,
and the module has not been usable since at least 2015.
All features from 3.0.x are included in the 3.2.x releases.
3.2.0 requires OpenSSL 1.0.2 or greater.
Bug Fixes
All bug fixes from 3.0.x are included in the 3.2.x releases.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.0.10-4 (Sep 2014) to 2.0.11 (Dec 2019)
- Update of rootfile
- Deletion of patch to prevent installing in usr/local as new tarball now has a ./configure
file that enables setting prefix to /usr and sysconfdir to /etc
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.26.5 to 2.28.1
- Update of rootfile
- Changelog
2.28.1
This is a stable bugfix release, with the following changes:
Added support for the Nintendo Online Famicom controllers
Improved support for third-party Nintendo Switch controllers
Fixed setting the player LED on Nintendo Switch controllers
Added Linux controller mapping for the Logitech Chillstream
Fixed appending to a file greater than 4GB in size on Windows
2.28.0
Thanks to all the people who contributed code and feedback, SDL 2.28.0 is now
available!
In addition to lots of bug fixes, here are the major changes in this release:
General:
Added SDL_HasWindowSurface() and SDL_DestroyWindowSurface() to switch between
the window surface and rendering APIs
Added a display event SDL_DISPLAYEVENT_MOVED which is sent when the primary
monitor changes or displays change position relative to each other
Added the hint SDL_HINT_ENABLE_SCREEN_KEYBOARD to control whether the
on-screen keyboard should be shown when text input is active
With this release, SDL 2.0 is entering maintenance mode. While we will continue
to support the library and provide stable bug fix updates, the SDL team is
focusing on SDL 3.0 and all new feature development will be happening there. We
are simultaneously bringing up sdl2-compat so your existing SDL 2.0 applications
can run on the SDL 3.0 runtime in the future.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Removal of lfs file
- Removal of rootfile
- Removal of backup includes file
- Removal of three patches
- Removal of paks files
- Adjustment of make.sh to remove squidclamav
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 0.7.5 to 0.9.4
- Update of rootfile
- wavemon would not build because it could not find the netlink include files. wavemon was
still looking in include/netlink/ as for libnl version 1 but with libnl3 the include
files are in include/libnl3/netlink/
- Based on an issue entry in the wavemon github repo I created the patch to force wavemon
to look in the correct place.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- What is it?
rsnapshot is a filesystem snapshot utility based on
rsync. rsnapshot makes it easy to make periodic snapshots of the
ipfire device. The code makes extensive use of hard links whenever
possible, to greatly reduce the disk space required. See:
https://rsnapshot.org
- Why is it needed?
Rsnapshot backups run multiple times per day
(e.g., once per day up to 24 times per day). Rsnapshot is much easier
to configure, setup and use than the borg backup add-on. (I found
borg somewhat confusing). Rsnapshot completes each backup very fast.
Unlike borg, rsnapshot does not compress each backup before storage.
During a complete rebuild, borg backup need installation of the borg
add-on to recover archived files. Rsnapshot backups can be copied
directly from the backup drive. Current backups (backup.pl or borg)
could corrupt sqlite3 databases by running a backup during a database
write. This add-on includes a script specifically for sqlite backups.
- IPFire Wiki
In process at: https://wiki.ipfire.org/addons/rsnapshot
Thanks to Gerd for creating a first build and a nice template for me!
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
- Moved rootfile from common to packages and commented out all entries.
- Updated lfs file from addon to core package that is only used for build
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Based on input from Arne Fitzenreiter there are conf files that alsa complains about if
they are not present. This patch uncomments all the default conf files
- The backup include file is also added to the rootfile.
Suggested-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Configure Zabbix Agent to log to syslog instead of its own logs.
- Remove old zabbix log-dir and logrotate settings from rootfile, lfs
and install-script.
- Update log.dat to view Zabbix Agent logging from syslog.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
For details see:
https://blog.clamav.net/2023/05/clamav-110-released.html
"Major changes
Added the ability to extract images embedded in HTML CSS <style> blocks.
Updated to Sigtool so that the --vba option will extract VBA code from
Microsoft Office documents the same way that libclamav extracts VBA.
This resolves several issues where Sigtool could not extract VBA.
Sigtool will also now display the normalized VBA code instead of the
pre-normalized VBA code.
Added a new ClamScan and ClamD option: --fail-if-cvd-older-than=days.
Additionally, we introduce FailIfCvdOlderThan as a clamd.conf synonym
for --fail-if-cvd-older-than. When passed, it causes ClamD to exit on
startup with a non-zero return code if the virus database is older than
the specified number of days.
Added a new function cl_cvdgetage() to the libclamav API. This function
will retrieve the age in seconds of the youngest file in a database
directory, or the age of a single CVD (or CLD) file.
Added a new function cl_engine_set_clcb_vba() to the libclamav API. Use
this function to set a cb_vba callback function. The cb_vba callback
function will be run whenever VBA is extracted from office documents.
The provided data will be a normalized copy of the extracted VBA. This
callback was added to support Sigtool so that it can use the same VBA
extraction logic that ClamAV uses to scan documents.
Other improvements
Removed the vendored TomsFastMath library in favor of using OpenSSL to
perform "big number"/multiprecision math operations. Work courtesy of
Sebastian Andrzej Siewior.
Build system: Added CMake option DO_NOT_SET_RPATH to avoid setting
RPATH on Unix systems. Feature courtesy of Sebastian Andrzej Siewior.
Build system: Enabled version-scripts with CMake to limit symbol
exports for libclamav, libfreshclam, libclamunrar_iface, and
libclamunrar shared libraries on Unix systems, excluding macOS.
Improvement courtesy of Orion Poplawski and Sebastian Andrzej Siewior.
Build system: Enabled users to pass in custom Rust compiler flags using
the RUSTFLAGS CMake variable. Feature courtesy of Orion Poplawski.
Removed a hard-coded alert for CVE-2004-0597. The CVE is old enough
that it is no longer a threat and the detection had occasional
false-positives.
Set Git attributes to prevent Git from altering line endings for Rust
vendored libraries. Third-party Rust libraries are bundled in the
ClamAV release tarball. We do not commit them to our own Git
repository, but community package maintainers may now store the tarball
contents in Git. The Rust build system verifies the library manifest,
and this change ensures that the hashes are correct. Improvement
courtesy of Nicolas R.
Fixed compile time warnings. Improvement courtesy of Razvan Cojocaru.
Added a minor optimization when matching domain name regex signatures
for PDB, WDB and CDB type signatures.
Build system: Enabled the ability to select a specific Python version.
When building, you may use the CMake option -D
PYTHON_FIND_VER=<version> to choose a specific Python version. Feature
courtesy of Matt Jolly.
Added improvements to the ClamOnAcc process log output so that it is
easier to diagnose bugs.
Windows: Enabled the MSI installer to upgrade between feature versions
more easily when ClamAV is installed to a location different from the
default (i.e., not C:\Program Files\ClamAV). This means that the MSI
installer can find a previous ClamAV 1.0.x installation to upgrade to
ClamAV 1.1.0.
Sigtool: Added the ability to change the location of the temp directory
using the --tempdir option and added the ability to retain the temp
files created by Sigtool using the --leave-temps option.
Other minor improvements.
Bug fixes
Fixed the broken ExcludePUA / --exclude-pua feature. Fix courtesy of
Ged Haywood and Shawn Iverson.
Fixed an issue with integer endianness when parsing Windows executables
on big-endian systems. Fix courtesy of Sebastian Andrzej Siewior.
Fixed a possible stack overflow read when parsing WDB signatures. This
issue is not a vulnerability.
Fixed a possible index out of bounds when loading CRB signatures. This
issue is not a vulnerability.
Fixed a possible use after free when reading logical signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read when reading PDB signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read in javascript normalizer module.
This issue is not a vulnerability.
Fixed two bugs that would cause Freshclam to fail update when applying
a CDIFF database patch if that patch adds a file to the database
archive or removes a file from the database archive. This bug also
caused Sigtool to fail to create such a patch.
Fixed an assortment of complaints identified by Coverity static analysis.
Fixed one of the Freshclam tests that was failing on some Fedora
systems due to a bug printing debug-level log messages to stdout. Fix
courtesy of Arjen de Korte.
Correctly remove temporary files generated by the VBA and XLM
extraction modules so that the files are not leaked in patched versions
of ClamAV where temporary files are written directly to the
temp-directory instead of writing to a unique subdirectory."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 5.1.2 to 6.0
- Update of rootfile
- sobump occurs so find-dependencies checked and the addons mpd, shairport-sync &
minidlna will be bumped to the next PAK_VER as a patch set with this change.
- Changelog
version 6.0:
- Radiance HDR image support
- ddagrab (Desktop Duplication) video capture filter
- ffmpeg -shortest_buf_duration option
- ffmpeg now requires threading to be built
- ffmpeg now runs every muxer in a separate thread
- Add new mode to cropdetect filter to detect crop-area based on motion vectors and edges
- VAAPI decoding and encoding for 10/12bit 422, 10/12bit 444 HEVC and VP9
- WBMP (Wireless Application Protocol Bitmap) image format
- a3dscope filter
- bonk decoder and demuxer
- Micronas SC-4 audio decoder
- LAF demuxer
- APAC decoder and demuxer
- Media 100i decoders
- DTS to PTS reorder bsf
- ViewQuest VQC decoder
- backgroundkey filter
- nvenc AV1 encoding support
- MediaCodec decoder via NDKMediaCodec
- MediaCodec encoder
- oneVPL support for QSV
- QSV AV1 encoder
- QSV decoding and encoding for 10/12bit 422, 10/12bit 444 HEVC and VP9
- showcwt multimedia filter
- corr video filter
- adrc audio filter
- afdelaysrc audio filter
- WADY DPCM decoder and demuxer
- CBD2 DPCM decoder
- ssim360 video filter
- ffmpeg CLI new options: -stats_enc_pre[_fmt], -stats_enc_post[_fmt],
-stats_mux_pre[_fmt]
- hstack_vaapi, vstack_vaapi and xstack_vaapi filters
- XMD ADPCM decoder and demuxer
- media100 to mjpegb bsf
- ffmpeg CLI new option: -fix_sub_duration_heartbeat
- WavArc decoder and demuxer
- CrystalHD decoders deprecated
- SDNS demuxer
- RKA decoder and demuxer
- filtergraph syntax in ffmpeg CLI now supports passing file contents
as option values, by prefixing option name with '/'
- hstack_qsv, vstack_qsv and xstack_qsv filters
For more details about the changes you have to review the commits in the git repo
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n6.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Updsate from version 1.3.1 to 1.4
- Update of rootfile
- Changelog
opus 1.4 major release brings the following improvements and fixes:
Improved tuning of the Opus in-band FEC (LBRR).
See https://gitlab.xiph.org/xiph/opus/-/issues/2360 for details
Added a OPUS_SET_INBAND_FEC(2) option that turns on FEC, but does not force
SILK mode (FEC will be disabled in CELT mode)
Improved tuning and various fixes to DTX
Added Meson support, improved CMake support In addition to the improvements
above, this release includes many minor bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 2.26.4 to 2.26.5
- Update of rootfile
- Changelog
2.26.5
The minimum deployment target on macOS is now 10.11, due to changes in the
latest Xcode update
Fixed incorrect modifier keys handling on macOS
Fixed occasional duplicate controller visible on macOS
Fixed handling of third party PS4 controller input reports
Added support for the trigger buttons on the Victrix Pro FS for PS5
Added mapping for Flydigi Vader 2 with the latest firmware (6.0.4.9)
Added mapping for DualSense Edge Wireless Controller on Linux
Added mapping for Hori Pokken Tournament DX Pro Pad
Improved the speed and quality of audio resampling
Fixed crash on Linux if dbus can't be initialized
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 4.17.5 to 4.18.1
- Update of rootfile
some libraries now use x86-64 instead of x86_64 but most are still left with x86_64
Good thing that we create a separate version of the rootfile for each architecture
because it is no longer just the arm version that is unique but also the x86_64 one.
- Since version 4.17.0 it has been possible to do a build excluding SMB1 server capability.
As SMB1 is insecure and has known exploits including ransomeware based ones it seems
reasonable to build samba without SMB1 server capability for use on a firewall.
The option to build wiythout SMB1 server capability has been added to the LFS file.
- Changelog
Release Notes for Samba 4.18.1
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.18.0
NEW FEATURES/CHANGES
SMB Server performance improvements
The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for metadata heavy workloads.
While 4.17 already improved the situation quite a lot,
with 4.18 the locking overhead for contended path based operations
is reduced by an additional factor of ~ 3 compared to 4.17.
It means the throughput of open/close
operations reached the level of 4.12 again.
More succinct samba-tool error messages
Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:
* a username or password is incorrect
* an ldb database filename is wrong (including in smb.conf)
* samba-tool dns: various zones or records do not exist
* samba-tool ntacl: certain files are missing
* the network seems to be down
* bad --realm or --debug arguments
Accessing the old samba-tool messages
This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.
The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.
Colour output with samba-tool --color
For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.
Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.
* samba-tool drs showrepl: default is now 'auto', not 'no'
* samba-tool visualize: the interactions between --color-scheme,
--color, and --output have changed slightly. When --color-scheme is
set it overrides --color for the purpose of the output diagram, but
not for other output like error messages.
New samba-tool dsacl subcommand for deleting ACES
The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.
No colour with NO_COLOR environment variable
With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.
New wbinfo option --change-secret-at
The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.
New option to change the NT ACL default location
Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.
Azure Active Directory / Office365 synchronisation improvements
Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
REMOVED FEATURES
smb.conf changes
Parameter Name Description Default
acl_xattr:security_acl_name New security.NTACL
server addresses New
CHANGES SINCE 4.18.0rc4
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
CHANGES SINCE 4.18.0rc3
* BUG 15308: Avoid that tests fail because other tests didn't do cleanup on
failure.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
CHANGES SINCE 4.18.0rc2
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0).
(tevent 0.14.1 and ldb 2.7.1 are already released...)
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1.
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
CHANGES SINCE 4.18.0rc1
* BUG 10635: Office365 azure Password Sync not working.
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
Release Notes for Samba 4.17.7
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
allow full write to all attributes (additional changes).
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.17.6
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- powertop requires debug_fs to be enabled in the kernel for it to function. In Core
Update 171 debug_fs was disabled as a security risk for a firewall application.
- Based on the above powertop has stopped functioning since Core Update 171. Discussed
at IPFire Developers monthly conf call for April and agreed to remove the addon as
debug_fs will not be re-enabled.
- removal of lfs and rootfiles and removal of powertop line in make.sh
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
