Since the kernel now always reports 256 bits of entropy to be available,
this CGI does not show any useful information anymore. To avoid
confusions, it will hereby be removed entirely.
Fixes: #12893
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This is no longer required because the kernel will now try to
generate some randomness in an easier way when needed.
This has been added in: b923dd3de0
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This patch, which has been merged into the mainline Linux kernel, but
not yet backported to the 5.15.x tree, precisely addresses our
situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.
The only explanation I have for bug #12889 arising _now_ is that some
component (dracut, maybe) changed its behaviour regarding remounting of
already mounted special file systems. As current dracut won't (re)mount
any file system already found to be mounted, this means that the mount
options decided by the kernel remained untouched for /dev, hence being
weak in terms of options hardening possible.
As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes
to kernel configurations have been simulated.
Fixes: #12889
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Add true/false return codes to fetchfile, getmetafile and getmirrors
indicating succes or failure.
- Check on those return codes and fail gracefully with clean
error message(s) when downloads fail.
- Replace duplicate meta-file fetching code in dbgetlist with
getmetafile function (fixing possibly missed cariage return
conversion in meta-files).
- Remove pointless 5 retries to download server-list.db in
selectmirror as fetchfile already retries 5 times.
- lfs and rootfile created
- Patch created to remove requirement for winapi and related windows dependencies
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- lfs and rootfile created
- python3-cryptography build requires older version than was already installed.
Therefore named version 0.1.18 created, leaving original rust-paste in place
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- lfs and rootfile created
- python3-cryptography build requires older version than was already installed.
Therefore named version 0.3.6 created, leaving original rust-indoc in place
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- lfs and rootfile created
- Patch created to remove requirement for winapi and related windows dependencies
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.13.1 to 0.15.1
Required to be at same version as rust-pyo3
- Update of rootfile
- Changelog not available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.13.1 to 0.15.1
Required to be at same version as rust-pyo3
- Update of rootfile
- Changelog not available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.13.1 to 0.15.1
- Update of rootfile
- Changelog is too long to include here. For details see CHANGELOG.md file in source
tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 3.4.7 to 36.0.2
After version 3.4.8 the numbering scheme changed to 35.0.0 in Sept 2021
See Chanelog section 35.0.0 below
- New release requires a lot of rust packages - see Changelog sections 35.0.0 & 36.0.0
below. The required rust packages are installed in separate patches in this series
- Update of rootfile
- Changelog
36.0.2 - 2022-03-15¶
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.
36.0.1 - 2021-12-14¶
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.
36.0.0 - 2021-11-21¶
FINAL DEPRECATION Support for verifier and signer on our asymmetric key
classes was deprecated in version 2.0. These functions had an extended
deprecation due to usage, however the next version of cryptography will drop
support. Users should migrate to sign and verify.
The entire X.509 layer is now written in Rust. This allows alternate
asymmetric key implementations that can support cloud key management
services or hardware security modules provided they implement the necessary
interface (for example: EllipticCurvePrivateKey).
Deprecated the backend argument for all functions.
Added support for AESOCB3.
Added support for iterating over arbitrary request attributes.
Deprecated the get_attribute_for_oid method on CertificateSigningRequest in
favor of get_attribute_for_oid() on the new Attributes object.
Fixed handling of PEM files to allow loading when certificate and key are in
the same file.
Fixed parsing of CertificatePolicies extensions containing legacy BMPString
values in their explicitText.
Allow parsing of negative serial numbers in certificates. Negative serial
numbers are prohibited by RFC 5280 so a deprecation warning will be raised
whenever they are encountered. A future version of cryptography will drop
support for parsing them.
Added support for parsing PKCS12 files with friendly names for all
certificates with load_pkcs12(), which will return an object of type
PKCS12KeyAndCertificates.
rfc4514_string() and related methods now have an optional attr_name_overrides
parameter to supply custom OID to name mappings, which can be used to match
vendor-specific extensions.
BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email address
fields as E in rfc4514_string() methods from version 35.0.
The previous behavior can be restored with:
name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
Allow X25519PublicKey and X448PublicKey to be used as public keys when
parsing certificates or creating them with CertificateBuilder. These key
types must be signed with a different signing algorithm as X25519 and X448
do not support signing.
Extension values can now be serialized to a DER byte string by calling
public_bytes().
Added experimental support for compiling against BoringSSL. As BoringSSL
does not commit to a stable API, cryptography tests against the latest
commit only. Please note that several features are not available when
building against BoringSSL.
Parsing CertificateSigningRequest from DER and PEM now, for a limited time
period, allows the Extension critical field to be incorrectly encoded. See
the issue for complete details. This will be reverted in a future
cryptography release.
When OCSPNonce are parsed and generated their value is now correctly wrapped
in an ASN.1 OCTET STRING. This conforms to RFC 6960 but conflicts with the
original behavior specified in RFC 2560. For a temporary period for
backwards compatibility, we will also parse values that are encoded as
specified in RFC 2560 but this behavior will be removed in a future release.
35.0.0 - 2021-09-29¶
Changed the version scheme. This will result in us incrementing the major
version more frequently, but does not change our existing backwards
compatibility policy.
BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM
string passed have PEM delimiters of the correct type. For example, parsing
a private key PEM concatenated with a certificate PEM will no longer be
accepted by the PEM certificate parser.
BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows
negative serial numbers. RFC 5280 has always prohibited these.
BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during X.509
parsing will raise an error on initial parse rather than when the malformed
field is accessed.
Rust is now required for building cryptography, the
CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected.
Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust.
This should be backwards compatible (modulo the items listed above) and
improve both security and performance.
Added support for OpenSSL 3.0.0 as a compilation target.
Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms
are provided for compatibility in regions where they may be required, and
are not generally recommended.
We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our
manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine
Linux should ensure they upgrade to the latest pip to correctly receive
wheels.
Added rfc4514_attribute_name attribute to x509.NameAttribute.
Added KBKDFCMAC.
3.4.8 - 2021-08-24¶
Updated Windows, macOS, and manylinux wheels to be compiled with
OpenSSL 1.1.1l.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.9.10 to 1.9.11p3
- Update of rootfile required
- Changelog
What's new in Sudo 1.9.11p3
* Fixed "connection reset" errors on AIX when running shell scripts
with the "intercept" or "log_subcmds" sudoers options enabled.
Bug #1034.
* Fixed very slow execution of shell scripts when the "intercept"
or "log_subcmds" sudoers options are set on systems that enable
Nagle's algorithm on the loopback device, such as AIX.
Bug #1034.
What's new in Sudo 1.9.11p2
* Fixed a compilation error on Linux/x86_64 with the x32 ABI.
* Fixed a regression introduced in 1.9.11p1 that caused a warning
when logging to sudo_logsrvd if the command returned no output.
What's new in Sudo 1.9.11p1
* Correctly handle EAGAIN in the I/O read/right events. This fixes
a hang seen on some systems when piping a large amount of data
through sudo, such as via rsync. Bug #963.
* Changes to avoid implementation or unspecified behavior when
bit shifting signed values in the protobuf library.
* Fixed a compilation error on Linux/aarch64.
* Fixed the configure check for seccomp(2) support on Linux.
* Corrected the EBNF specification for tags in the sudoers manual
page. GitHub issue #153.
What's new in Sudo 1.9.11
* Fixed a crash in the Python module with Python 3.9.10 on some
systems. Additionally, "make check" now passes for Python 3.9.10.
* Error messages sent via email now include more details, including
the file name and the line number and column of the error.
Multiple errors are sent in a single message. Previously, only
the first error was included.
* Fixed logging of parse errors in JSON format. Previously,
the JSON logger would not write entries unless the command and
runuser were set. These may not be known at the time a parse
error is encountered.
* Fixed a potential crash parsing sudoers lines larger than twice
the value of LINE_MAX on systems that lack the getdelim() function.
* The tests run by "make check" now unset the LANGUAGE environment
variable. Otherwise, localization strings will not match if
LANGUAGE is set to a non-English locale. Bug #1025.
* The "starttime" test now passed when run under Debian faketime.
Bug #1026.
* The Kerberos authentication module now honors the custom password
prompt if one has been specified.
* The embedded copy of zlib has been updated to version 1.2.12.
* Updated the version of libtool used by sudo to version 2.4.7.
* Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
in the header files (currently only GNU libc). This is required
to allow the use of 64-bit time values on some 32-bit systems.
* Sudo's "intercept" and "log_subcmds" options no longer force the
command to run in its own pseudo-terminal. It is now also
possible to intercept the system(3) function.
* Fixed a bug in sudo_logsrvd when run in store-first relay mode
where the commit point messages sent by the server were incorrect
if the command was suspended or received a window size change
event.
* Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
configuration setting was used.
* The "intercept" and "log_subcmds" functionality can now use
ptrace(2) on Linux systems that support seccomp(2) filtering.
This has the advantage of working for both static and dynamic
binaries and can work with sudo's SELinux RBAC mode. The following
architectures are currently supported: i386, x86_64, aarch64,
arm, mips (log_subcmds only), powerpc, riscv, and s390x. The
default is to use ptrace(2) where possible; the new "intercept_type"
sudoers setting can be used to explicitly set the type.
* New Georgian translation from translationproject.org.
* Fixed creating packages on CentOS Stream.
* Fixed a bug in the intercept and log_subcmds support where
the execve(2) wrapper was using the current environment instead
of the passed environment pointer. Bug #1030.
* Added AppArmor integration for Linux. A sudoers rule can now
specify an APPARMOR_PROFILE option to run a command confined by
the named AppArmor profile.
* Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
Non-paths were being treated as paths and an actual path was
treated as an error.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 5.16.0 to 5.18.0
- Update of rootfile not required
- Changelog
Release v5.18.0
xfsprogs: more autoconf modernisation
Release v5.18.0-rc1
mkfs: Fix memory leak
xfsprogs: autoconf modernisation
xfs_io: add a quiet option to bulkstat
metadump: be careful zeroing corrupt inode forks
metadump: handle corruption errors without aborting
xfs_db: take BB cluster offset into account when using 'type' cmd
xfs_scrub: don't revisit scanned inodes when reprocessing a stale inode
xfs_scrub: balance inode chunk scan across CPUs
xfs_scrub: prepare phase3 for per-inogrp worker threads
xfs_scrub: widen action list length variables
xfs_scrub: in phase 3, use the opened file descriptor for repair calls
xfs_scrub: make phase 4 go straight to fstrim if nothing to fix
xfs_scrub: don't try any file repairs during phase 3 if AG metadata bad
xfs_scrub: fall back to scrub-by-handle if opening handles fails
xfs_scrub: in phase 3, use the opened file descriptor for scrub calls
xfs_scrub: collapse trivial file scrub helpers
xfs_repair: check the ftype of dot and dotdot directory entries
xfs_repair: improve error reporting when checking rmap and refcount btrees
xfs_repair: detect v5 featureset mismatches in secondary supers
mkfs: don't trample the gid set in the protofile
mkfs: round log size down if rounding log start up causes overflow
mkfs: improve log extent validation
mkfs: don't let internal logs bump the root dir inode chunk to AG 1
mkfs: reduce internal log size when log stripe units are in play
mkfs: fix missing validation of -l size against maximum internal log size
xfs_repair: fix sizing of the incore rt space usage map calculation
xfs_db: report absolute maxlevels for each btree type
xfs_db: support computing btheight for all cursor types
xfs_repair: warn about suspicious btree levels in AG headers
xfs_db: warn about suspicious finobt trees when metadumping
xfs: note the removal of XFS_IOC_FSSETDM in the documentation
xfs_db: fix a complaint about a printf buffer overrun
xfs_scrub: move to mallinfo2 when available
debian: support multiarch for libhandle
debian: bump compat level to 11
debian: refactor common options
Release v5.18.0-rc0
mm/fs: delete PF_SWAPWRITElibxfs-5.18-sync
xfs: document the XFS_ALLOC_AGFL_RESERVE constant
xfs: constify xfs_name_dotdot
xfs: constify the name argument to various directory functions
xfs: remove the XFS_IOC_{ALLOC,FREE}SP* definitions
xfs: remove the XFS_IOC_FSSETDM definitions
xfs: pass the mapping flags to xfs_bmbt_to_iomap
Release v5.16.0
libxfs: remove kernel stubs from xfs_shared.h
debian: Generate .gitcensus instead of .census (Closes: #999743)
Release v5.16.0-rc0
xfs: Fix the free logic of state in xfs_attr_node_hasname
xfs: #ifdef out perag code for userspace
xfs: use swap() to make dabtree code cleaner
xfs: remove unused parameter from refcount code
xfs: reduce the size of struct xfs_extent_free_item
xfs: rename xfs_bmap_add_free to xfs_free_extent_later
xfs: create slab caches for frequently-used deferred items
xfs: compact deferred intent item structures
xfs: rename _zone variables to _cache
xfs: remove kmem_zone typedef
xfs: use separate btree cursor cache for each btree type
xfs: compute absolute maximum nlevels for each btree type
xfs: kill XFS_BTREE_MAXLEVELS
xfs_repair: stop using XFS_BTREE_MAXLEVELS
xfs_db: stop using XFS_BTREE_MAXLEVELS
xfs: compute the maximum height of the rmap btree when reflink enabled
xfs: clean up xfs_btree_{calc_size,compute_maxlevels}
xfs: compute maximum AG btree height for critical reservation calculation
xfs: rename m_ag_maxlevels to m_allocbt_maxlevels
xfs: dynamically allocate cursors based on maxlevels
xfs: encode the max btree height in the cursor
xfs: refactor btree cursor allocation function
xfs: rearrange xfs_btree_cur fields for better packing
xfs: prepare xfs_btree_cur for dynamic cursor heights
xfs: reduce the size of nr_ops for refcount btree cursors
xfs: remove xfs_btree_cur.bc_blocklog
xfs: fix perag reference leak on iteration race with growfs
xfs: terminate perag iteration reliably on agcount
xfs: rename the next_agno perag iteration variable
xfs: fold perag loop iteration logic into helper function
xfs: remove the xfs_dqblk_t typedef
xfs: remove the xfs_dsb_t typedef
xfs: remove the xfs_dinode_t typedef
xfs: check that bc_nlevels never overflows
xfs: remove xfs_btree_cur_t typedef
xfs: fix maxlevels comparisons in the btree staging code
xfs: port the defer ops capture and continue to resource capture
xfs: formalize the process of holding onto resources across a defer roll
xfs: use kmem_cache_free() for kmem_cache objects
xfs_repair: fix AG header btree level comparisons
xfs_db: fix metadump level comparisons
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- The fix for bug #12428 removed spaces from the validhostname subroutine as hostnames are
not supposed to have spaces
- This resulted in spaces no longer being allowed for the Static IP Address Pools names
- New subroutine created called validccdname. This allows letters, upper and lower case,
numbers, spaces and dashes
Fixes: Bug #12865
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- The fix for bug #12428 removed spaces from the validhostname subroutine as hostnames are
not supposed to have spaces
- This resulted in spaces no longer being allowed for the Static IP Address Pools names
- New subroutine created called validccdname in general-functions.pl
Fixes: Bug #12865
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- New python module required for borgbackup. In borgbackup version 1.1.18 or 1.1.19
the old bundled msgpack in borgbackup was removed and a specified version range
of python3-msgpack required.
- This patch adds the lfs and rootfiles for this module
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
