This was newly introduced in OpenSSH 9.9, hence our custom
configurations for both SSH server and client need to be updated.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Full changelog of this release:
*) SECURITY: CVE-2023-49582: Apache Portable Runtime (APR):
Unexpected lax shared memory permissions (cve.mitre.org)
Lax permissions set by the Apache Portable Runtime library on
Unix platforms would allow local users read access to named
shared memory segments, potentially revealing sensitive
application data.
This issue does not affect non-Unix platforms, or builds with
APR_USE_SHMEM_SHMGET=1 (apr.h)
Users are recommended to upgrade to APR version 1.7.5, which
fixes this issue.
Credits: Thomas Stangner
*) Unix: Implement apr_shm_perms_set() for the "POSIX shm_open()"
and "classic mmap" shared memory implementations. [Joe Orton,
Ruediger Pluem]
*) Fix missing ';' for XML/HTML hex entities from apr_escape_entity().
[Yann Ylavic]
*) Fix crash in apr_pool_create() with --enable-pool-debug=all|owner.
[Yann Ylavic]
*) Improve platform detection by updating config.guess and config.sub.
[Rainer Jung]
*) CMake: Add support for CMAKE_WARNING_AS_ERROR. [Ivan Zhakov]
*) CMake: Enable support for MSVC runtime library selection by abstraction.
[Ivan Zhakov]
*) CMake: Export installed targets (libapr-1, apr-1, libaprapp-1, aprapp-1)
to apr:: namespace. [Ivan Zhakov]
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- An additional key was defined for a PSK being base64 encoded. All existing PSK's that
are not base64 encoded will have that key empty. This enables base64 encoded PSK's and
non base64 encoded PSK'sd to be differentiated.
- If the PSK connection is disabled and then enabled with a non base64 encoded PSK the PSK
will be left as it is. If the edit page is selected and Save pressed, even if nothing
has been modified, then the PSK will be converted to a base64 encoded PSK.
- The old style and new style PSK was tested out on my vm system and worked without any
issue.
- Using an old non base64 encoded PSK the IPSec connection worked without any problems.
If the PSK was tehn converted to basse64 encoding by saving from the Edit page without
changing anything, then the client IPSec connection was successfully made without any
indication of a change. The conversion from non base64 to base64 encoded PSK occurred
seamlessly without any hiccup.
Fixes: Bug13029
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- As all characters, except for the single quotation mark, are now allowed in the PSK
with the base64 encoding implemented then the error message in the English Lang file
has been changed to explicitly mention the single quotation mark rather than characters
as a generic message.
Fixes: Bug13029
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This adds the base64 encoded PSK into the config file and when the ipsec.secrets file
is created the PSK is base64 decoded to write it to the file. The ipsec.secrets file
surrounds the PSK with single quotation marks so that character is not allowed to be
used in the PSK but anything else can be.
- Tested out on my vm system and shown to be working. New PSK with various characters
characters including commas was base64 encoded before putting into the config file
and therefore was accepted by the code. If a single quotation mark was used in the
PSK then the error message about invalid characters was shown.
Fixes: Bug13029
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- As requested in bug 13074, create a collectd.d directory to enable any addon definitions
to be created.
- Added include statement in conf file to load everything that is stored in the collectd.d
directory.
- collectd.precache and collectd.thermal have been left in their original locations
- Removed the arm section in the initscript as only aarch64 is now used.
- Modified the lfs to create the collectd.d directory
- Removal of collectd.custom file as this was the previous way to define custom collectd
profiles but would have been overwritten by any update of collectd.
- Update of rootfile to take account of new path and removal of collectd.custom
- Tested out in vm testbed with Core Update 188 and all existing graphs were still created
and updated. From my evaluation the changes have not affected anything.
- The creation of the collectd.d directory now allows users to add their own desired
profiles but also if it is decided that an addon should be included in the processes
graph, or if a new graph for addons is created then profiles for that addon can be
placed in the collectd.d directory and will be automatically included by collectd.
Fixes: Bug13074
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Due to the update of openssh to version 9.8 in CU187, logwatch no longer found the sshd
login data from the messages log as the daemon was changed to sshd-session.
- Therefore the daily logwatch files were missing the sshd information in them.
- A patch to add support for openssh-9.8 sshd-session and port info has been merged into
the logwatch git system and will be included into the next released version of logwatch
- Update logwatch from version 7.8 to 7.11 and add patch for openssh-9.8 support.
- Update the previous three logwatch patches for version 7.11
- Tested on my vm testbed. Confirmed that logwatch now includes back the sshd information
into the Log Summary page.
- When logwatch is updated to version 7.12 then the openssh-9.8 support patch will be able
to be removed.
Fixes: bug13762
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- With the update of openssh to version 9.8 in CU187 the daemon was changed from sshd to
sshd-session. Therefore the log.dat no longer finds any info related to the logins.
- This updates the section regex to look for both sshd and sshd-session.
- Tested out on my vm system and confirmed to work.
- This fix will make available all previous log info for sshd-session in the messages log
as it continued to be stored, just could not be read by the WUI system log.
Fixes: bug13762
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.11.1 to 1.12.1
- Update of rootfile not required
- Changelog
1.12.1
Bugfixes:
Screen updates extremely slow on Windows #2435
Dry run error if the build directory does not exist #2431
New critical path scheduler performance improvements #2443
1.12.0
Critical path scheduler which orders the jobs by their runtime history #2177
This may break your build if you haven't specified your dependencies
correctly.
Resiliency against inputs changing during the build #1943
Reliable ETA and progress percentage in status #1963
Support for path lengths over 260 characters on Windows #1900
ARM binaries are now available for Windows and Linux, too
Several bugfixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.26.1 to 1.26.2
- Update of rootfile not required
- CVE Fix in this version
- Changelog
1.26.2
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.9 to 3.10
- Update of rootfile
- Changelog
3.10
This is a maintenance release, including a few each of bug
fixes, new features and optimizations.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.9 and libhogweed.so.6.9, with sonames
libnettle.so.8 and libhogweed.so.6.
Bug fixes:
* Add missing hash functions sha512_224 and sha512_256 to the
nettle_get_hashes() list. The name values in the
corresponding nettle_hash structs also changed to use
underscore instead of dash, for consistency.
* Fix a few cases of formally undefined calls to memcpy(dst,
NULL, 0), resulting from valid calls to, e.g.,
sha256_update(ctx, 0, NULL).
New features:
* Support RSA-OAEP encryption. Contributed by Nicolas Mora and
Daiki Ueno.
* New function sha3_256_shake_output, new functions
sha3_128_init, sha3_128_update, sha3_128_shake,
sha3_128_shake_output. Contributed by Daiki Ueno.
* Added DRBG-CTR with AES256, contributed by Simon Josefsson.
Optimizations:
* New combined gcm-aes assembly for powerpc64, contributed by
Danny Tsen.
* New sha256 assembly for powerpc64, contributed by Eric
Richter.
* Improved performance for powerpc64 AES decrypt, by skipping
subkey transformations that don't suit the vncipher
instructions.
* Add arm64 CPU feature detection for Android and for Apple systems,
contributed by Foolbar and Tim Kosse, prespectively.
Miscellaneous:
* New tests for side-channel silence, based on valgrind.
* Delete all md5 assembly code. Delete all sparc32 assembly code.
3.9.1
This is a bugfix release, fixing a few bugs reported for
Nettle-3.9. The bug in the new OCB code may be exploitable for
denial of service or worse, since triggering it leads to
memory corruption. Upgrading from Nettle-3.9 to the new
version is strongly recommended.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.8 and libhogweed.so.6.8, with sonames
libnettle.so.8 and libhogweed.so.6.
Bug fixes:
* Fix OCB loop for processing messages of size 272 bytes or
larger. Reported and fixed by Jussi Kivilinna.
* Fix alignment bug in the new x86_64 non-pclmul assembly
implementation of ghash. Reported by Henrik Grubbström.
* Fix build-time memory leak in eccdata. Reported by Noah
Watkins.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.5 to 3.2.8
- Update of rootfile not required
- Changelog
3.2.8
* UPD: Bump bundled WolfSSL library to stable version 5.7.2, GitHub #1433
Resolves CVE-2024-1544, CVE-2024-5288, CVE-2024-5991, CVE-2024-5814
* UPD: Revert local modifications to the bundled WolfSSL library, GitHub #1432
* FIX: Enable building against a shared WolfSSL 5.7.2 library, GitHub #1421
* FIX: meson: Do not define rpath with a linker argument, GitHub #1443
3.2.7
* NEW: meson: Ability to control the run-time linker path config file,
GitHub #1396
New boolean Meson option: `-Dwith-ldsoconf'
When set to false, do not create /etc/ld.so.conf.d/libatalk.conf
* BREAKING: meson: Enable rpath by default, while disabling ldsoconf
by default, GitHub #1417
* FIX: meson: Allow ldconfig to run unprivileged during setup, GitHub #1407
* FIX: docker: Add entry script step to clean up any residual lock file,
GitHub #1412
* NEW: docker: Ship a docker-compose.yml sample file, GitHub #1414
* NEW: docker: Check for AFP_USER and AFP_PASS when launching container,
GitHub #1415
3.2.6
* BREAKING: meson: Refresh the dynamic linker cache when installing on Linux,
GitHub #1386
This fixes the issue of the libatalk.so shared library not being found
when configuring with a non-standard library path, e.g. /usr/local/lib .
New Meson option `-Dwith-install-hooks' controls this behavior,
allowing you to disable the install hook in non-privileged environments.
On Linux systems with glibc, we now install the following config file:
/etc/ld.so.conf.d/libatalk.conf
* BREAKING: meson: Introduce option to control which manual l10n to build,
GitHub #1390
New Meson option `-Dwith-manual-l10n' default to empty, can be set to
`ja' to build the Japanese localization of the html manual.
This changes the default behavior of the build system
to not build the Japanese html manual by default.
* BREAKING: meson: Install htmldocs into htmldocs subdir, GitHub #1391
Previously, the html manual files were installed into the root
of the netatalk doc directory. Now they are put under netatalk/htmldocs .
* BREAKING: meson: Use modern linker flag for rpath, remove dtags override,
GitHub #1384
When configuring with `-Dwith-rpath=true' the linker flags
`-Wl,-rpath,' will be prepended instead of the old `-R' flag.
On Linux platforms, we no longer prepend `-Wl,--enable-new-dtags',
either.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.03.23 to 2.03.26
- Update of rootfile not required
- Changelog
2.03.26
Fix internal error reported by pvmove on a VG with single PV.
Also accept --mknodes --refresh for vgscan.
Fix vgmknodes --refresh to wait for udev before checking /dev content.
Use log/report_command_log=1 config setting by default for JSON output format.
Fix unreleased memory pools on RAID lvextend.
Add --integritysettings option to manipuilate dm-integrity settings.
2.03.25
Utilize more radix_tree instead of dm_hash and btree.
Refactor DM uuid caching from device_mapper directory.
Enhance checking for DM uuid device.
Fix lvm shell command completion on tab key (2.03.24).
Avoid lockd_vg call to lvmlockd for local VGs.
Allow forced change of locktype from none.
Handle OPTIONS defined in /etc/sysconfig/lvmlockd.
2.03.24
Lvconvert supports VDO options for thin-pool with vdo conversion.
Improve placement to .data.rel.ro and .rodata sections.
Fix support for -y and -W when creating thinpool with vdo.
Bettter support for runtime valgrind detection.
Allow command interruption when communicating with dmeventd.
Fix resize of VDO volume used for thin pool data volume.
Use -Wl,-z,now and -Wl,--as-needed for compilation by default.
Require 3.7 as minimal version for sanlock.
Share code for closing opened desriptors on program startup.
Fix memleak in lvmcache.
Add configure --with-default-event-activation=ON setting.
Fix return value from reporter function when hitting internal error.
Skip checking of pools for lvremove and vgremove commands.
VDO modprobes dm-vdo for 6.9 kernel and kvdo for older kernel version.
Fix lvs reporting for VDO volumes with new upstream kernel driver.
Don't import DM_UDEV_DISABLE_OTHER_RULES_FLAG in LVM rules, DM rules cover it.
Fix table line generation for cache snapshots using cachevol.
Enhance lvconvert support for external origins stacking.
When swapping LV names also swap properties like hostname, time and data.
Fix removal of stacked external origins.
Lock filesystem when converting volume to read-only external origin.
Support external origin between different thin-pool.
Improve validation of acceptable volumes for external origins.
Reduce amount of preloaded devices for complex device trees.
Avoid logging problems from monitoring snapshots with inactive origins.
Check for cache policy module presence in kernel's builtin modules file.
Add configure --with-modulesdir to select kernel modules directory.
Support creation of thin-pool with VDO use for its data volume.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.21.0 to 3.22.0
- Update for rootfile not required
- autogen.sh step not required as configure file has been available in source tarball
since version 3.10.0 in 2016
- xz version of logrotate available so changed to that.
- Changelog
3.22.0
- fix calculations for time differences (#516)
- fix extension for zip compression (#545)
- fix omitted copy for logs with `mail` and `rotate 0` (#553)
- fix wrongly skipping copy with `copytruncate` and `compress` (#553)
- fix ambiguities between `mode`, `UID` and `GID` parsing when not specifying all options (#575)
- fix hang when encountering a named pipe (#607)
- on prerotate failure logs are preserved instead of rotated (#506)
- in case a configuration file was skipped due to unsafe permissions the
exit status after rotattion will be `1` (#508)
- the state is no longer written to non-regular files (#529)
- the systemd timer now correctly utilizes load distribution (#574)
- add dateformat specifier `%z` for timezone offsets (#594)
- change default mode for created `olddir` directories to `0755` (#560)
- support quoted user and group names in `su`, `create`, and `createolddir` (#575)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 0.9.31 to 0.9.33
- Update of rootfile not required
- Changelog
0.9.33
ITS#9037 mdb_page_search: fix error code when DBI record is missing
ITS#10198 For win32, stop passing ignored parameter
ITS#10212 Fix meta page usage by read only tools
0.9.32
ITS#9378 - Add ability to replay log and replay log tool
ITS#10095 - partial revert of ITS#9278. The patch was incorrect and introduced numerous race conditions.
ITS#10125 - mdb_load: fix cursor reinit in Append mode
ITS#10137 - Allow users to define MDB_IDL_LOGN
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.6.42 to 1.6.44
- Update of rootfile
- Changelog
1.6.44
Hardened calculations in chroma handling to prevent overflows, and
relaxed a constraint in cHRM validation to accomodate the standard
ACES AP1 set of color primaries.
(Contributed by John Bowler)
Removed the ASM implementation of ARM Neon optimizations and updated
the build accordingly. Only the remaining C implementation shall be
used from now on, thus ensuring the support of the PAC/BTI security
features on ARM64.
(Contributed by Ross Burton and John Bowler)
Fixed the pickup of the PNG_HARDWARE_OPTIMIZATIONS option in the
CMake build on FreeBSD/amd64. This is an important performance fix
on this platform.
Applied various fixes and improvements to the CMake build.
(Contributed by Eric Riff, Benjamin Buch and Erik Scholz)
Added fuzzing targets for the simplified read API.
(Contributed by Mikhail Khachayants)
Fixed a build error involving pngtest.c under a custom config.
This was a regression introduced in a code cleanup in libpng-1.6.43.
(Contributed by Ben Wagner)
Fixed and improved the config files for AppVeyor CI and Travis CI.
1.6.43
Fixed the row width check in png_check_IHDR().
This corrected a bug that was specific to the 16-bit platforms,
and removed a spurious compiler warning from the 64-bit builds.
(Reported by Jacek Caban; fixed by John Bowler)
Added eXIf chunk support to the push-mode reader in pngpread.c.
(Contributed by Chris Blume)
Added contrib/pngexif for the benefit of the users who would like
to inspect the content of eXIf chunks.
Added contrib/conftest/basic.dfa, a basic build-time configuration.
(Contributed by John Bowler)
Fixed a preprocessor condition in pngread.c that broke build-time
configurations like contrib/conftest/pngcp.dfa.
(Contributed by John Bowler)
Added CMake build support for LoongArch LSX.
(Contributed by GuXiWei)
Fixed a CMake build error that occurred under a peculiar state of the
dependency tree. This was a regression introduced in libpng-1.6.41.
(Contributed by Dan Rosser)
Marked the installed libpng headers as system headers in CMake.
(Contributed by Benjamin Buch)
Updated the build support for RISCOS.
(Contributed by Cameron Cawley)
Updated the makefiles to allow cross-platform builds to initialize
conventional make variables like AR and ARFLAGS.
Added various improvements to the CI scripts in areas like version
consistency verification and text linting.
Added version consistency verification to pngtest.c also.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Used in the samba addon.
- With the old separate module removed samba still successfully built, installed and was
able to be run from the WUI.
Fixes: bug13640
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Used by the git addon.
- With the old separate module removed git still successfully built, installed and was
able to be run, cloning the ipfire git repo, changing to next, modifying a file and
the running a commit with the change.
Fixes: bug13640
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Used in install-ipfire.sh script that is run by the install of vdradmin.
- With the old separate module removed vdradmin still successfully built and installed.
Fixes: bug13640
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Used in install-ipfire.sh script that is run by the install of vdradmin.
- With the old separate module removed vdradmin still successfully built and installed.
Fixes: bug13640
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Not referenced in the IPFire git repo so looks like not actively used
Fixes: bug13640
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
