bpftool comes with Linux kernel source and
it is handy to have bpftool on ipfire kernel
with BPF/BTF enabled to diagnosis BPF related
issue.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
- Update from version 2.5.0 to 2.6.0
- Update of rootfile
- This update fixes two CVE's. Not sure if IPFire would be vulnerable or not but safer
to update anyway.
- Changelog
2.6.0
Security fixes:
#789#814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request #789 and to include earlier pull request #771,
in order to not break the fix.
#777 CVE-2023-52426 -- Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat >=2.4.0 (and that was CVE-2013-0340 back then).
Bug fixes:
#753 Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
#780 Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
#812#813 Protect against closing entities out of order
Other changes:
#723 Improve support for arc4random/arc4random_buf
#771#788 Improve buffer growth in XML_GetBuffer and XML_Parse
#761#770 xmlwf: Support --help and --version
#759#770 xmlwf: Support custom buffer size for XML_GetBuffer and read
#744 xmlwf: Improve language and URL clickability in help output
#673 examples: Add new example "element_declarations.c"
#764 Be stricter about macro XML_CONTEXT_BYTES at build time
#765 Make inclusion to expat_config.h consistent
#726#727 Autotools: configure.ac: Support --disable-maintainer-mode
#678#705 ..
#706#733#792 Autotools: Sync CMake templates with CMake 3.26
#795 Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
#815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section "Cflags.private" in order to fix compilation
against static libexpat using pkg-config on Windows
#724#751 Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
#793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable
#750#786 Autotools|CMake: Make test suite require a C++11 compiler
#749 CMake: Require CMake >=3.5.0
#672 CMake: Lowercase off_t and size_t to help a bug in Meson
#746 CMake: Sort xmlwf sources alphabetically
#785 CMake|Windows: Fix generation of DLL file version info
#790 CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
#745#757 docs: Document the importance of isFinal + adjust tests
accordingly
#736 docs: Improve use of "NULL" and "null"
#713 docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
#762 docs: reference.html: Promote function XML_ParseBuffer more
#779 docs: reference.html: Add HTML anchors to XML_* macros
#760 docs: reference.html: Upgrade to OK.css 1.2.0
#763#739 docs: Fix typos
#696 docs|CI: Use HTTPS URLs instead of HTTP at various places
#669#670 ..
#692#703 ..
#733#772 Address compiler warnings
#798#800 Address clang-tidy warnings
#775#776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do
Infrastructure:
#700#701 docs: Document security policy in file SECURITY.md
#766 docs: Improve parse buffer variables in-code documentation
#674#738 ..
#740#747 ..
#748#781#782 Refactor coverage and conformance tests
#714#716 Refactor debug level variables to unsigned long
#671 Improve handling of empty environment variable value
in function getDebugLevel (without visible user effect)
#755#774 ..
#758#783 ..
#784#787 tests: Improve test coverage with regard to parse chunk size
#660#797#801 Fuzzing: Improve fuzzing coverage
#367#799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
#698#721 CI: Resolve some Travis CI leftovers
#669 CI: Be robust towards absence of Git tags
#693#694 CI: Set permissions to "contents: read" for security
#709 CI: Pin all GitHub Actions to specific commits for security
#739 CI: Reject spelling errors using codespell
#798 CI: Enforce clang-tidy clean code
#773#808 ..
#809#810 CI: Upgrade Clang from 15 to 18
#796 CI: Start using Clang's Control Flow Integrity sanitizer
#675#720#722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images
#689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging
#763 CI: Adapt to breaking changes in codespell
#803 CI: Adapt to breaking changes in Cppcheck
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated lfs file to core program type
- Moved rootfile from packages to common
- Older suricata versions required elfutils only for building but suricata-7.0.2 fails to
start if elfutils is not present due to libelf.so.1 being missing.
- The requirement for elfutils is not mentioned at all in the changelog.
Fixes: Bug#13516
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 0.22 to 0.22.4
- Update of rootfile
- Changelog
0.22.4
* Bug fixes:
- AM_GNU_GETTEXT now recognizes a statically built libintl on macOS and AIX.
- Build fixes on AIX.
0.22.3
* Portability:
- The libintl library now works on macOS 14. (Older versions of libintl
crash on macOS 14, due to an incompatible change in macOS.)
0.22.2
* Bug fixes:
- The libintl shared library now exports again some symbols that were
accidentally missing.
<https://savannah.gnu.org/bugs/index.php?64323>
This bug was introduced in version 0.22.
0.22.1
* Bug fixes:
- xgettext's processing of large Perl files may have led to errors
<https://savannah.gnu.org/bugs/index.php?64552>
- "xgettext --join-existing" could encounter errors.
<https://savannah.gnu.org/bugs/index.php?64490>
These bugs were introduced in version 0.22.
* Portability:
- Building on Android is now supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.3 to 1.3.1
- Update of rootfile
- Changelog
1.3.1
- Reject overflows of zip header fields in minizip
- Fix bug in inflateSync() for data held in bit buffer
- Add LIT_MEM define to use more memory for a small deflate speedup
- Fix decision on the emission of Zip64 end records in minizip
- Add bounds checking to ERR_MSG() macro, used by zError()
- Neutralize zip file traversal attacks in miniunz
- Fix a bug in ZLIB_DEBUG compiles in check_match()
- Various portability and appearance improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 5.4.5 to 5.4.6
- Update of rootfile
- Changelog
5.4.6
* Fixed a bug involving internal function pointers in liblzma not
being initialized to NULL. The bug can only be triggered if
lzma_filters_update() is called on a LZMA1 encoder, so it does
not affect xz or any application known to us that uses liblzma.
* xz:
- Fixed a regression introduced in 5.4.2 that caused encoding
in the raw format to unnecessarily fail if --suffix was not
used. For instance, the following command no longer reports
that --suffix must be used:
echo foo | xz --format=raw --lzma2 | wc -c
- Fixed an issue on MinGW-w64 builds that prevented reading
from or writing to non-terminal character devices like NUL.
* Added a new test.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 1.6.39 to 1.6.41
- Update of rootfile
- Changelog
1.6.41
Added SIMD-optimized code for the Loongarch LSX hardware.
(Contributed by GuXiWei, JinBo and ZhangLixia)
Fixed the run-time discovery of MIPS MSA hardware.
(Contributed by Sui Jingfeng)
Fixed an off-by-one error in the function `png_do_check_palette_indexes`,
which failed to recognize errors that might have existed in the first
column of a broken palette-encoded image. This was a benign regression
accidentally introduced in libpng-1.6.33. No pixel was harmed.
(Contributed by Adam Richter; reviewed by John Bowler)
Fixed, improved and modernized the contrib/pngminus programs, i.e.,
png2pnm.c and pnm2png.c
Removed old and peculiar portability hacks that were meant to silence
warnings issued by gcc version 7.1 alone.
(Contributed by John Bowler)
Fixed and modernized the CMake file, and raised the minimum required
CMake version from 3.1 to 3.6.
(Contributed by Clinton Ingram, Timothy Lyanguzov, Tyler Kropp, et al.)
Allowed the configure script to disable the building of auxiliary tools
and tests, thus catching up with the CMake file.
(Contributed by Carlo Bramini)
Fixed a build issue on Mac.
(Contributed by Zixu Wang)
Moved the Autoconf macro files to scripts/autoconf.
Moved the CMake files (except for the main CMakeLists.txt) to
scripts/cmake and moved the list of their contributing authors to
scripts/cmake/AUTHORS.md
Updated the CI configurations and scripts.
Relicensed the CI scripts to the MIT License.
Improved the test coverage.
(Contributed by John Bowler)
1.6.40
Fixed the eXIf chunk multiplicity checks.
Fixed a memory leak in pCAL processing.
Corrected the validity report about tRNS inside png_get_valid().
Fixed various build issues on *BSD, Mac and Windows.
Updated the configurations and the scripts for continuous integration.
Cleaned up the code, the build scripts, and the documentation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as the pyproject.toml approach failed to build successfully
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as the pyproject.toml approach failed to build successfully.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as pyproject.toml approach kept failing to build
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- abseil-cpp required to build protobuf which is required for protobuf-c which is new
build dependency for frr
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.1.4 to 2.1.148
- Update of rootfile
- Minimum version of 2.1.128 will be required in a future frr release and currently needs
to be a minimum of 2.1.80 but not 2.1.111
- Changelog
2.1.148
Main changes of this release are:
lots of bugfixes and improvements in various parts of the library
2.1.128
Main changes of this release are:
revert of identityref canonical value change
the identity always printed with the module name as the prefix
data tree and hash table optimizations
opaque node handling fixes and improvements
lots of other bug fixes
2.1.111
Main changes of this release are:
opaque node parsing improved
native RESTCONF operation parsing support
union value error reporting improved
new yanglint and yangre tests
optional support for leafref with XPath functions
lots of other fixes and improvements
2.1.80
Main changes of this release are:
RESTCONF message parsing
JSON parser refactor
timezone DST handling
public hash table API
stored union value bugfix
many other clarifications, improvements, and bugfixes
2.1.55
Main changes of this release are:
type compilation fixes
multi-error validation support
JSON parser fixes
portability improvements
schema-mount support improvements
minor optimizations
other minor fixes
2.1.30
Main changes of this release are:
many JSON printer/parser fixes and improvements
unintentionally large library size reduced
thread safety improvements
big-endian compatibility fix
uncrustify updated
lots of other fixes and improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.5.3 to 1.6.0
- Update of rootfile
- A build bug was found with 1.6.0 if --enable-read-both-confs was set in the configure.
A commit fixing this has been released and converted into a patch for IPFire. This
will end up in the next pam release version and the IPFire patch can then be removed.
- Changelog
1.6.0
* Added support of configuration files with arbitrarily long lines.
* build: fixed build outside of the source tree.
* libpam: added use of getrandom(2) as a source of randomness if available.
* libpam: fixed calculation of fail delay with very long delays.
* libpam: fixed potential infinite recursion with includes.
* libpam: implemented string to number conversions validation when parsing
controls in configuration.
* pam_access: added quiet_log option.
* pam_access: fixed truncation of very long group names.
* pam_canonicalize_user: new module to canonicalize user name.
* pam_echo: fixed file handling to prevent overflows and short reads.
* pam_env: added support of '\' character in environment variable values.
* pam_exec: allowed expose_authtok for password PAM_TYPE.
* pam_exec: fixed stack overflow with binary output of programs.
* pam_faildelay: implemented parameter ranges validation.
* pam_listfile: changed to treat \r and \n exactly the same in configuration.
* pam_mkhomedir: hardened directory creation against timing attacks.
Please note that using *at functions leads to more open file handles
during creation.
* pam_namespace: fixed potential local DoS (CVE-2024-22365).
* pam_nologin: fixed file handling to prevent short reads.
* pam_pwhistory: helper binary is now built only if SELinux support is enabled.
* pam_pwhistory: implemented reliable usernames handling when remembering
passwords.
* pam_shells: changed to allow shell entries with absolute paths only.
* pam_succeed_if: fixed treating empty strings as numerical value 0.
* pam_unix: added support of disabled password aging.
* pam_unix: synchronized password aging with shadow.
* pam_unix: implemented string to number conversions validation.
* pam_unix: fixed truncation of very long user names.
* pam_unix: corrected rounds retrieval for configured encryption method.
* pam_unix: implemented reliable usernames handling when remembering passwords.
* pam_unix: changed to always run the helper to obtain shadow password entries.
* pam_unix: unix_update helper binary is now built only if SELinux support
is enabled.
* pam_unix: added audit support to unix_update helper.
* pam_userdb: added gdbm support.
* Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.41 to 1.42
- Update of rootfile
- Changelog
1.42
** Bump required gettext version to 0.19.8 for musl-libc.
** Compiler warning improvements.
As before, compiler warnings are enabled by default. You may disable
them using ./configure --disable-gcc-warnings or turn them into fatal
errors using ./configure --enable-gcc-warnings=error to add -Werror
and sensible -Wno-error='s. Based on gnulib's manywarnings, see
<https://www.gnu.org/software/gnulib//manual/html_node/manywarnings.html>.
** Fix type confusion on LLP64/Windows platforms.
While libidn has worked using cygwin libc, it has never worked on
ucrt/msvcrt libc. Report and tiny patch by Francesco Pretto in
<https://lists.gnu.org/archive/html/help-libidn/2022-02/msg00000.html>.
** tests: Added script tests/standalone.sh suitable for integrators.
The main purpose is to test a system-installed libidn, suitable for
distributor checking (a'la Debian's autopkgtest/debci). It may also
be used to test a newly built libidn outside the usual 'make check'
infrastructure. To check that your system libidn is working, invoke
the script with `srcdir` as an environment variable indicating where
it can be find the source code for libidn's tests/ directory (it will
use the directory name where the script is by default):
tests/standalone.sh
To check that a newly built static libidn behaves, invoke:
env STANDALONE_CFLAGS="-Ilib lib/.libs/libidn.a"
tests/standalone.sh
To check that a newly built shared libidn behaves, invoke:
env srcdir=tests STANDALONE_CFLAGS="-Ilib -Wl,-rpath
lib/.libs lib/.libs/libidn.so" tests/standalone.sh
If the libidn under testing is too old and has known bugs, that
should cause tests to fail, which is intentional.
** Updated translations.
** Update gnulib files and build fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.8.2 to 3.8.3
- Update of rootfile
- Changelog
3.8.3
- libgnutls: Fix more timing side-channel inside RSA-PSK key exchange
[GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553]
- libgnutls: Fix assertion failure when verifying a certificate chain with a
cycle of cross signatures
[GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567]
- libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token
certtool was unable to handle Ed25519 keys generated on PKCS#11
with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 23.08.0 to 24.01.0
- Update of rootfile
- Changelog
24.01.0:
core:
* Don't crash on certain documents on the NSS signature backend
* Fix infinite loop in some annotation code if there's not space for
even one character
* Fix build on Android with generic font configuration
* Small internal code cleanup
23.12.0:
core:
* Rewrite FoFiType1::parse to be more flexible. Issue #1422
* Small internal code refactoring
23.11.0:
core:
* CairoOutputDev: Use internal downscaling algorithm if image exceeds
Cairo's maximum dimensions.
* Internal code improvements
* Fix crash on malformed files
utils:
* pdftocairo: Add option to document logical structure if output is pdf
* pdftocairo: EPS output should not contain %%PageOrientation
23.10.0:
core:
* cairo: update type 3 fonts for cairo 1.18 api
* Fix crash on malformed files
build system:
* Make a few more dependencies soft-mandatory
* Add more supported gnupg releases
* Check if linker supports version scripts
23.09.0:
core:
* Add Android-specific font matching functionality
* Fix digital signatures for NeedAppearance=true
* Forms: Don't look up same glyph multiple times
* Provide the key location for certificates you can sign with
* Add ToUnicode support for similarequal
* Fix crash on malformed files
qt5:
* Provide the key location for certificates you can sign with
* Allow to force a rasterized overprint preview during PS conversion
qt6:
* Provide the key location for certificates you can sign with
* Allow to force a rasterized overprint preview during PS conversion
pdfsig:
* Provide the key location for certificates you can sign with
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
To quote from the kernel documentation:
> Historically the kernel has allowed TIOCSTI, which will push
> characters into a controlling TTY. This continues to be used
> as a malicious privilege escalation mechanism, and provides no
> meaningful real-world utility any more. Its use is considered
> a dangerous legacy operation, and can be disabled on most
> systems.
>
> Say Y here only if you have confirmed that your system's
> userspace depends on this functionality to continue operating
> normally.
>
> Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can
> use TIOCSTI even when this is set to N.
>
> This functionality can be changed at runtime with the
> dev.tty.legacy_tiocsti sysctl. This configuration option sets
> the default value of the sysctl.
This patch therefore proposes to no longer allow legacy TIOCSTI usage
in IPFire, given its security implications and the apparent lack of
legitimate usage.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The "ping" plugin does not re-resolve the gateway IP address after
pinging it for the first time. For most people this won't be a big
problem, but if the default gateway changes, the latency graph won't
work any more.
In order to do re-resolve "gateway", the only way is to restart
collectd.
Fixes: #13522
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
According to the source tarball's NEWS file:
- Improvements
- Allow passing a path to modprobe so the module is loaded from
anywhere from the filesystem, but still handling the module
dependencies recorded in the indexes. This is mostly intended for kernel
developers to speedup testing their kernel modules without having to load the
dependencies manually or override the module in /usr/lib/modules/.
Now it's possible to do:
# modprobe ./drivers/gpu/drm/i915/i915.ko
As long as the dependencies didn't change, this should do the right thing
- Use in-kernel decompression if available. This will check the runtime support
in the kernel for decompressing modules and use it through finit_module().
Previously kmod would fallback to the older init_module() when using
compressed modules since there wasn't a way to instruct the kernel to
uncompress it on load or check if the kernel supported it or not.
This requires a recent kernel (>= 6.4) to have that support and
in-kernel decompression properly working in the kernel.
- Make modprobe fallback to syslog when stderr is not available, as was
documented in the man page, but not implemented
- Better explaing `modprobe -r` and how it differentiates from rmmod
- depmod learned a `-o <dir>` option to allow using a separate output
directory. With this, it's possible to split the output files from
the ones used as input from the kernel build system
- Add compat with glibc >= 2.32.9000 that dropped __xstat
- Improve testsuite to stop skipping tests when sysconfdir is something
other than /etc
- Build system improvements and updates
- Change a few return codes from -ENOENT to -ENODATA to avoid confusing output
in depmod when the module itself lacks a particular ELF section due to e.g.
CONFIG_MODVERSIONS=n in the kernel.
- Bug Fixes
- Fix testsuite using uninitialized memory when testing module removal
with --wait
- Fix testsuite not correctly overriding the stat syscall on 32-bit
platforms. For most architectures this was harmless, but for MIPS it
was causing some tests to fail.
- Fix handling unknown signature algorithm
- Fix linking with a static liblzma, libzstd or zlib
- Fix memory leak when removing module holders
- Fix out-of-bounds access when using very long paths as argument to rmmod
- Fix warnings reported by UBSan
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Noteworthy changes in this release, according to
https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00001.html :
* New option --ignore-dirnlink
Valid in copy-out mode, it instructs cpio to ignore the actual number
of links reported for each directory member and always store 2
instead.
* Changes in --reproducible option
The --reproducible option implies --ignore-dirlink. In other words,
it is equivalent to --ignore-devno --ignore-dirnlink --renumber-inodes.
* Use GNU ls algorithm for deciding timestamp format in -tv mode
* Bugfixes
** Fix cpio header verification.
** Fix handling of device numbers on copy out.
** Fix calculation of CRC in copy-out mode.
** Rewrite the fix for CVE-2015-1197.
** Fix combination of --create --append --directory.
** Fix appending to archives bigger than 2G.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 2.14.1 to 2.15.0
- Update of rootfile
- Autogen no longer required
- fcobjshash.h is no longer in tarball from version 2.13.1
- Changelog
2.15
Do not change the order of orth files
Convert tabs to spaces
Convert more tabs to spaces in docs
src/meson.build: Store correct paths to fontconfig.pc.
Fix a typo in description for HAVE_STDATOMIC_PRIMITIVES
Report more detailed logs instead of assertion.
Add some missing constant names for weight.
Adujst indentation between programlisting in fontconfig-user.sgml
Bump version to 2.14.2
Clean up unused code
Add another test case for flatpak
Update 65-nonlatin.conf for macOS
Change the order of the properties to the order of fontconfig cache format
Add missing property descriptions
Add namedinstance property
Remove the problematic language from code and doc
Fix a typo
Fix a typo for FcCharSetDelChar doc
Fix a typo in scalable property
Use 'outline' instead of 'scalable' for bitmaps
Add more docs about selectfont
Rework CI implementation
Fix a typo
Rework CI implementation v2
Apply a fix of ci-templates
Fix uninitialized memory access when failing memory allocation.
Create a symlink with relative path
Fix an error of "initializer element is not constant"
Update CaseFolding.txt to Unicode 15.1
Update the encoding table for Simplified Chinese
Retry to decode strings in the name table as UTF-16BE in some cases.
Work around decoding strings in Macintosh encoding for the name table.
Add iconv detection for meson build
.gitlab-ci: Update
CI: Update
CI: static build only for rawhide
Use memmove instead of memcpy
Rename README to NEWS and add README.md
Update so version
Fix leak of `reason` in _FcConfigParse when not complaining
Ignore LC_CTYPE if set to "UTF-8"
Some doc clarifications
Add FC_FONT_WRAPPER
Detect standalone CFF fonts for FC_FONT_WRAPPER
Add anp.orth, bhb.orth, hif.orth, mag.orth, raj.orth, and the.orth
Add {agr,ayc,bem,ckb,cmn,dsb,hak,lij,lzh,mfe,mhr,miq,mjw,mnw,nan,nhn,niu,rif,sgs,shn,szl,tcy,tpi,unm,wae,yue,yuw}.orth
Change index type to 16 bit and bump cache version to 9
Expand ~ in glob
Add optional 11-lcdfilter-none configuration
Fix filepaths added when scanning with sysroot
Fix false-positive CFI failure
In fcfreetype.c, `GetScriptTags`: fix `use_of_uninitialized_value` and return the correct number of parsed tags in case the font file contains less tags than indicated.
meson: Support any compiler with gcc or msvc argument syntax
fix typo
Reload MM/VF metadata for each font face in font collection
fixed typos in fc-conflist.sgml
Add aliases for Helvetica LT Std
2.14.2
Fix the build issue on meson when -g option is added to c_args
Store artifacts for meson windows CI
Add FC_DESKTOP_NAME property
Add --with-default-sub-pixel-rendering option
Update po-conf/POTFILES.in
Ignore null pointer on Fc*Destroy functions
Convert tabs to spaces
Convert more tabs to spaces in docs
src/meson.build: Store correct paths to fontconfig.pc.
Fix a typo in description for HAVE_STDATOMIC_PRIMITIVES
Report more detailed logs instead of assertion.
Add some missing constant names for weight.
Adujst indentation between programlisting in fontconfig-user.sgml
meson: modify gperf test to remove sh dependency
meson: Update freetype2 git repository to upstream
Ignore LC_CTYPE if set to "UTF-8"
Expand ~ in glob
fix typo
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 2.11.4 to 2.12.3
- Update of rootfile
- Changelog
2.12.3: Dec 12 2023
### Regressions
- parser: Fix namespaces redefined from default attributes
### Build fixes
- include: Rename XML_EMPTY helper macro
- include: Move declaration of xmlInitGlobals
- include: Add missing includes
- include: Move globals from xmlsave.h to parser.h
- include: Readd circular dependency between tree.h and parser.h
2.12.2: Dec 5 2023
### Regressions
- parser: Fix invalid free in xmlParseBalancedChunkMemoryRecover
- globals: Disable TLS in static Windows builds
- html: Reenable buggy detection of XML declarations
- tree: Fix regression when copying DTDs
- parser: Make CRLF increment line number
### Build fixes
- build: Disable compiler TLS by default
- cmake: Update config.h.cmake.in
- tests: Fix tests --with-valid --without-xinclude
2.12.1: Nov 23 2023
### Regressions
- hash: Fix deletion of entries during scan
- parser: Only enable SAX2 if there are SAX2 element handlers
### Build fixes
- autotools: Stop checking for snprintf
- dict: Fix '__thread' before 'static'
- fix: pthread weak references in globals.c (Mike Dalessio)
- tests: Fix build with older MSVC
2.12.0: Nov 16 2023
### Major changes
Most of the known issues leading to quadratic behavior in the XML parser
were fixed. Internal hash tables were rewritten to reduce memory
consumption.
Starting with this release, it should be enough to add the --with-legacy
configuration option to provide maximum ABI compatibility. For example,
if a code module was removed from the default configuration, the option
will add stubs for the removed symbols.
libxml2 will now store global variables in thread-local storage if supported
by the compiler. This avoids allocating the data lazily which can result in
a fatal error condition. A new API function xmlCheckThreadLocalStorage
was added so the allocation can be checked earlier if compiler TLS is not
supported. To prepare for future improvements, some API functions now expect
or return a const xmlError struct.
Several cyclic dependencies in public header files were fixed. As a result,
certain headers won't include other headers as before.
Refactoring of the encoding code has been mostly completed. Calling
xmlSwitchEncoding from client code is now fully supported, for example to
override the encoding for the push parser.
When parsing data from memory, libxml2 will now stream data chunk by chunk
instead of copying the whole buffer (possibly twice with encodings),
reducing peak memory consumption considerably.
A new API function xmlCtxtSetMaxAmplification was added to allow parsing
of files that would otherwise trigger the billion laughs protection.
Several bugs in the regex determinism checks were fixed. Invalid XML
Schemas which previous versions erroneously accepted will now be
rejected.
### Deprecations
- globals: Deprecate xmlLastError
- parser: Deprecate global parser options
- win32: Deprecate old Windows build system
### Bug fixes
- parser: Stop switching to ISO-8859-1 on encoding errors
- parser: Support encoded external PEs in entity values
- string: Fix UTF-8 validation in xmlGetUTF8Char
- SAX2: Allow multiple top-level elements
- parser: Update line number after coalescing text nodes
- parser: Check for truncated multi-byte sequences
### Improvements
- error: Make more xmlError structs constant
- parser: Remove redundant IS_CHAR check in xmlCurrentChar
- parser: Fix stack handling in xmlParseTryOrFinish
- parser: Protect against quadratic default attribute expansion
- parser: Missing checks for disableSAX
- entities: Make xmlFreeEntity public
- examples: Don't use sprintf
- encoding: Suppress -Wcast-align warnings
- parser: Use hash tables to avoid quadratic behavior
- parser: Don't skip CR in xmlCurrentChar
- dict: Rewrite dictionary hash table code
- hash: Rewrite hash table code
- malloc-fail: Report malloc failure in xmlFARegExec
- malloc-fail: Report malloc failure in xmlRegEpxFromParse
- parser: Simplify xmlStringCurrentChar
- regexp: Fix status codes and handle invalid UTF-8
- error: Make xmlGetLastError return a const error
- html: Fix logic in htmlAutoClose
- globals: Move globals back to correct header files
- globals: Use thread-local storage if available
- globals: Rework global state destruction on Windows
- globals: Define globals using macros
- globals: Introduce xmlCheckThreadLocalStorage
- globals: Make xmlGlobalState private
- threads: Move library initialization code to threads.c
- debug: Remove debugging code
- globals: Move code from threads.c to globals.c
- parser: Avoid undefined behavior in xmlParseStartTag2
- schemas: Fix memory leak of annotations in notations
- dict: Update hash function
- dict: Use thread-local storage for PRNG state
- dict: Use xoroshiro64** as PRNG
- xmllint: Fix error messages
- parser: Fix detection of null bytes
- parser: Improve error handling in push parser
- parser: Don't check inputNr in xmlParseTryOrFinish
- parser: Remove push parser debugging code
- tree: Fix copying of DTDs
- legacy: Add stubs for disabled modules
- parser: Allow to set maximum amplification factor
- entities: Don't change doc when encoding entities
- parser: Never use UTF-8 encoding handler
- encoding: Remove debugging code
- malloc-fail: Fix unsigned integer overflow in xmlTextReaderPushData
- html: Remove encoding hack in htmlCreateFileParserCtxt
- parser: Decode all data in xmlCharEncInput
- parser: Stream data when reading from memory
- parser: Optimize xmlLoadEntityContent
- parser: Don't overwrite EOF parser state
- parser: Simplify input pointer updates
- parser: Don't reinitialize parser input members
- encoding: Move rawconsumed accounting to xmlCharEncInput
- parser: Rework encoding detection
- parser: Always create UTF-8 in xmlParseReference
- html: Remove some debugging code in htmlParseTryOrFinish
- malloc-fail: Fix memory leak in xmlCompileAttributeTest
- parser: Recover more input from encoding errors
- malloc-fail: Handle malloc failures in xmlAddEncodingAlias
- malloc-fail: Fix null-deref with xmllint --copy
- xpath: Ignore entity ref nodes when computing node hash
- malloc-fail: Fix null deref after xmlXIncludeNewRef
- SAX: Always validate xml:ids
- Stop using sprintf
- Fix compiler warning on GCC < 8
- regexp: Fix determinism checks
- regexp: Fix checks for eliminated transitions
- regexp: Simplify xmlFAReduceEpsilonTransitions
- regexp: Fix cycle check in xmlFAReduceEpsilonTransitions
- schemas: Fix filename in xmlSchemaValidateFile
- schemas: Fix line numbers in streaming validation
- writer: Add error check in xmlTextWriterEndDocument
- encoding: Stop calling xmlEncodingErr
- xmlIO: Remove some calls to xmlIOErr
- parser: Improve handling of encoding and IO errors
- parser: Move xmlFatalErr to parserInternals.c
- encoding: Rework error codes
- .gitignore: Split up and rearrange .gitignore files
- .gitignore: Add runsuite.log
- Stop calling xmlMemoryDump
- examples: Don't call xmlCleanupParser and xmlMemoryDump
- xpath: Remove remaining references to valueFrame
### Portability
- python: Make it compatible with python3.12 (Daniel Garcia Moreno)
### Build systems
- cmake: Check whether static linking dependencies found in config files
(James Le Cuirot)
- autotools: Make --with-minimum disable lzma support
- build: Remove some GCC warnings
- Handle NOCONFIG case when setting locations from CMake target properties
(Markus Rickert)
- cmake: Generate better pkg-config file for SYSROOT builds under CMake
(James Le Cuirot)
- autoconf: Include non-pkg-config dependency flags in the pkg-config file
(James Le Cuirot)
- autoconf: Don't bake build time CFLAGS into pkg-config file (James Le Cuirot)
- build: Generate better pkg-config files for static-only builds (James
Le Cuirot)
- build: Generate better pkg-config file for SYSROOT builds (James Le Cuirot)
- autoconf: Allow custom --with-icu configure option
### Tests
- tests: Also test xmlNextChar in testchar.c
- tests: Start with testparser.c for extra tests
- fuzz: Raise rss_limit_mb
- fuzz: Test xmlTextReaderRead after EOF or failure
- fuzz: Test XML_PARSE_XINCLUDE | XML_PARSE_VALID
- tests: Handle entities in SAX tests
- fuzz: Disable XML_PARSE_SAX1 option in xml fuzzer
- tests: Add more tests for redefined attributes
- hash: Add hash table tests
- tests: Add ATTRIBUTE_NO_SANITIZE_INTEGER macro
- fuzz: Allow to fuzz without push, reader or output modules
- gitlab-ci: Add a "medium" config build
- python: Fix tests on MinGW
- test: Add push parser test with overridden encoding
- testapi: test_xmlSAXDefaultVersion() leaves xmlSAX2DefaultVersionValue set
to 1 with LIBXML_SAX1_ENABLED (David Kilzer)
- gitlab-ci: Lower _XOPEN_SOURCE value
- testapi: Don't set http_proxy environment variable
- test: Add push parser tests for split UTF-8 sequences
- xinclude: Lower initial table size when fuzzing
- tests: Test streaming schema validation
- runtest: Skip element name in schema error messages
### Documentation
- doc: Add notes about runtest to MAINTAINERS.md
- doc: Don't document internal macros in xmlversion.h
- doc: Allow 'unsigned' without 'int'
- doc: Improve documentation of configuration options
2.11.6: Nov 16 2023
### Regressions
- threads: Fix --with-thread-alloc
- xinclude: Fix 'last' pointer in xmlXIncludeCopyNode
### Bug fixes
- parser: Fix potential use-after-free in xmlParseCharDataInternal
2.11.5: Aug 9 2023
### Regressions
- parser: Make xmlSwitchEncoding always skip the BOM
- autotools: Improve iconv check
### Bug fixes
- valid: Fix c1->parent pointer in xmlCopyDocElementContent
- encoding: Always call ucnv_convertEx with flush set to false
### Portability
- autotools: fix Python module file ext for cygwin/msys2 (Christoph Reiter)
### Tests
- runtest: Fix compilation without LIBXML_HTML_ENABLED
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
