Development June 2022

development@lists.ipfire.org

15 participants
66 discussions

[PATCH] ovpnmain.cgi: Fix for bug #12883 - separate .p12 file corrupted
by Adolf Belka 23 Jun '22

23 Jun '22

- Patch https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=2feacd989823aa1dbd5844c… from May 2021 put the variable containing the .p12 content into double quotes which causes the contents to be treated as text whereas the .p12 file is an application file. - Most people must be downloading the zip package of .p12, ovpn.conf and ta.key files so the problem was not noticed till now and flagged up in the forum. https://community.ipfire.org/t/openvpn-p12-password-on-android-problem/8127 - The problem does not occur for the .p12 file in the zip file as the downloading of the zip file does not have the variable name in double quotes. - Putting the zip file variable into double quotes caused the downloaded zip file to be corrupt and not able to be opened as an archive. - Removing the double quotes from the .p12 variable name caused the separate .p12 file download to be able to be correctly opened. - The same quoted variable name is used also for the cacert.pem, cert.pem, servercert.pem and ta.key file downloads. To be consistent the same change has been applied to these. Fixes: Bug #2883 Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index b8c3e5064..736d17541 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1564,7 +1564,7 @@ END print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); - print "@tmp"; + print @tmp; exit(0); } else { @@ -1679,7 +1679,7 @@ END print "Content-Disposition: filename=cacert.pem\r\n\r\n"; my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); - print "@tmp"; + print @tmp; exit(0); } @@ -1693,7 +1693,7 @@ END print "Content-Disposition: filename=servercert.pem\r\n\r\n"; my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); - print "@tmp"; + print @tmp; exit(0); } @@ -1710,7 +1710,7 @@ END my @tmp = <FILE>; close(FILE); - print "@tmp"; + print @tmp; exit(0); } @@ -2615,7 +2615,7 @@ else my @tmp = <FILE>; close(FILE); - print "@tmp"; + print @tmp; exit (0); ### @@ -3234,7 +3234,7 @@ END my @tmp = <FILE>; close(FILE); - print "@tmp"; + print @tmp; exit (0); } -- 2.36.1

3 2

[PATCH 1/2] python3-botocore: Add httpchecksum module
by Michael Tremer 23 Jun '22

23 Jun '22

It looks like this has been commented out by mistake Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- config/rootfiles/packages/python3-botocore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/packages/python3-botocore b/config/rootfiles/packages/python3-botocore index 3696fe528..2ff8da3e1 100644 --- a/config/rootfiles/packages/python3-botocore +++ b/config/rootfiles/packages/python3-botocore @@ -1593,7 +1593,7 @@ usr/lib/python3.10/site-packages/botocore/exceptions.py usr/lib/python3.10/site-packages/botocore/handlers.py usr/lib/python3.10/site-packages/botocore/history.py usr/lib/python3.10/site-packages/botocore/hooks.py -#usr/lib/python3.10/site-packages/botocore/httpchecksum.py +usr/lib/python3.10/site-packages/botocore/httpchecksum.py usr/lib/python3.10/site-packages/botocore/httpsession.py usr/lib/python3.10/site-packages/botocore/loaders.py usr/lib/python3.10/site-packages/botocore/model.py -- 2.30.2

1 2

[PATCH 1/3] cloud: Execute user-data scripts at the end of initialization
by Michael Tremer 23 Jun '22

23 Jun '22

This is useful when the user-data needs to reboot an instance. Previously, some initialization did not happen which is now being done first before the user-data script is being executed. This gives users more flexibility about what they are doing in those scripts. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- src/initscripts/helper/aws-setup | 35 +++++++++++------------ src/initscripts/helper/azure-setup | 35 +++++++++++------------ src/initscripts/helper/exoscale-setup | 35 +++++++++++------------ src/initscripts/helper/gcp-setup | 35 +++++++++++------------ src/initscripts/helper/oci-setup | 41 +++++++++++++-------------- 5 files changed, 83 insertions(+), 98 deletions(-) diff --git a/src/initscripts/helper/aws-setup b/src/initscripts/helper/aws-setup index a40d4beeb..f14f4eb57 100644 --- a/src/initscripts/helper/aws-setup +++ b/src/initscripts/helper/aws-setup @@ -118,25 +118,6 @@ import_aws_configuration() { fi done - # Download the user-data script only on the first boot - if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then - # Download user-data - local user_data="$(get user-data)" - - # Save user-data script to be executed later - if [ "${user_data:0:2}" = "#!" ]; then - echo "${user_data}" > /tmp/aws-user-data.script - chmod 700 /tmp/aws-user-data.script - - # Run the user-data script - local now="$(date -u +"%s")" - /tmp/aws-user-data.script &>/var/log/user-data.log.${now} - - # Delete the script right away - rm /tmp/aws-user-data.script - fi - fi - # Import network configuration # After this, no network connectivity will be available from this script due to the # renaming of the network interfaces for which they have to be shut down @@ -259,6 +240,22 @@ import_aws_configuration() { echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" ) >> /var/ipfire/firewall/input + # Download user-data + local user_data="$(get user-data)" + + # Save user-data script to be executed later + if [ "${user_data:0:2}" = "#!" ]; then + echo "${user_data}" > /tmp/aws-user-data.script + chmod 700 /tmp/aws-user-data.script + + # Run the user-data script + local now="$(date -u +"%s")" + /tmp/aws-user-data.script &>/var/log/user-data.log.${now} + + # Delete the script right away + rm /tmp/aws-user-data.script + fi + # This script has now completed the first steps of setup touch /var/ipfire/main/firstsetup_ok fi diff --git a/src/initscripts/helper/azure-setup b/src/initscripts/helper/azure-setup index 1eff57799..7a4422a35 100644 --- a/src/initscripts/helper/azure-setup +++ b/src/initscripts/helper/azure-setup @@ -141,25 +141,6 @@ import_azure_configuration() { fi done - # Download the user-data script only on the first boot - if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then - # Download user-data - local user_data="$(get customData)" - - # Save user-data script to be executed later - if [ "${user_data:0:2}" = "#!" ]; then - echo "${user_data}" > /tmp/azure-user-data.script - chmod 700 /tmp/azure-user-data.script - - # Run the user-data script - local now="$(date -u +"%s")" - /tmp/azure-user-data.script &>/var/log/user-data.log.${now} - - # Delete the script right away - rm /tmp/azure-user-data.script - fi - fi - # Import network configuration # After this, no network connectivity will be available from this script due to the # renaming of the network interfaces for which they have to be shut down @@ -279,6 +260,22 @@ import_azure_configuration() { echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" ) >> /var/ipfire/firewall/input + # Download user-data + local user_data="$(get customData)" + + # Save user-data script to be executed later + if [ "${user_data:0:2}" = "#!" ]; then + echo "${user_data}" > /tmp/azure-user-data.script + chmod 700 /tmp/azure-user-data.script + + # Run the user-data script + local now="$(date -u +"%s")" + /tmp/azure-user-data.script &>/var/log/user-data.log.${now} + + # Delete the script right away + rm /tmp/azure-user-data.script + fi + # This script has now completed the first steps of setup touch /var/ipfire/main/firstsetup_ok fi diff --git a/src/initscripts/helper/exoscale-setup b/src/initscripts/helper/exoscale-setup index e9295cc9c..02fdda2a3 100644 --- a/src/initscripts/helper/exoscale-setup +++ b/src/initscripts/helper/exoscale-setup @@ -83,25 +83,6 @@ import_exoscale_configuration() { chown setup.nobody "/home/setup/.ssh/authorized_keys" fi - # Download the user-data script only on the first boot - if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then - # Download user-data - local user_data="$(get user-data)" - - # Save user-data script to be executed later - if [ "${user_data:0:2}" = "#!" ]; then - echo "${user_data}" > /tmp/user-data.script - chmod 700 /tmp/user-data.script - - # Run the user-data script - local now="$(date -u +"%s")" - /tmp/user-data.script &>/var/log/user-data.log.${now} - - # Delete the script right away - rm /tmp/user-data.script - fi - fi - # Import any previous settings for the local interfaces eval $(/usr/local/bin/readhash <(grep -E "^(GREEN|ORANGE)_.*=" /var/ipfire/ethernet/settings 2>/dev/null)) @@ -208,6 +189,22 @@ import_exoscale_configuration() { echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" ) >> /var/ipfire/firewall/input + # Download user-data + local user_data="$(get user-data)" + + # Save user-data script to be executed later + if [ "${user_data:0:2}" = "#!" ]; then + echo "${user_data}" > /tmp/user-data.script + chmod 700 /tmp/user-data.script + + # Run the user-data script + local now="$(date -u +"%s")" + /tmp/user-data.script &>/var/log/user-data.log.${now} + + # Delete the script right away + rm /tmp/user-data.script + fi + # This script has now completed the first steps of setup touch /var/ipfire/main/firstsetup_ok fi diff --git a/src/initscripts/helper/gcp-setup b/src/initscripts/helper/gcp-setup index 935194931..4f5148c3e 100644 --- a/src/initscripts/helper/gcp-setup +++ b/src/initscripts/helper/gcp-setup @@ -118,25 +118,6 @@ import_gcp_configuration() { fi done <<<"$(get instance/attributes/ssh-keys)" - # Download the user-data script only on the first boot - if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then - # Download a startup script - local script="$(get instance/attributes/startup-script)" - - # Execute the script - if [ "${script:0:2}" = "#!" ]; then - echo "${script}" > /tmp/gcp-startup.script - chmod 700 /tmp/gcp-startup.script - - # Run the script - local now="$(date -u +"%s")" - /tmp/gcp-startup.script &>/var/log/startup-script.log.${now} - - # Delete the script right away - rm /tmp/gcp-startup.script - fi - fi - # Import network configuration # After this, no network connectivity will be available from this script due to the # renaming of the network interfaces for which they have to be shut down @@ -249,6 +230,22 @@ import_gcp_configuration() { echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" ) >> /var/ipfire/firewall/input + # Download a startup script + local script="$(get instance/attributes/startup-script)" + + # Execute the script + if [ "${script:0:2}" = "#!" ]; then + echo "${script}" > /tmp/gcp-startup.script + chmod 700 /tmp/gcp-startup.script + + # Run the script + local now="$(date -u +"%s")" + /tmp/gcp-startup.script &>/var/log/startup-script.log.${now} + + # Delete the script right away + rm /tmp/gcp-startup.script + fi + # This script has now completed the first steps of setup touch /var/ipfire/main/firstsetup_ok fi diff --git a/src/initscripts/helper/oci-setup b/src/initscripts/helper/oci-setup index 782fde5a2..312014b74 100644 --- a/src/initscripts/helper/oci-setup +++ b/src/initscripts/helper/oci-setup @@ -147,28 +147,6 @@ import_oci_configuration() { fi done <<<"$(get instance/metadata/ssh_authorized_keys)" - # Download the user-data script only on the first boot - if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then - # Download a startup script - local script="$(get instance/metadata/user_data)" - - # Try to decode this - script="$(try_base64_decode "${script}")" - - # Execute the script - if [ "${script:0:2}" = "#!" ]; then - echo "${script}" > /tmp/user-data.script - chmod 700 /tmp/user-data.script - - # Run the script - local now="$(date -u +"%s")" - /tmp/user-data.script &>/var/log/user-data.log.${now} - - # Delete the script right away - rm /tmp/user-data.script - fi - fi - # Import network configuration # After this, no network connectivity will be available from this script due to the # renaming of the network interfaces for which they have to be shut down @@ -285,6 +263,25 @@ import_oci_configuration() { echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" ) >> /var/ipfire/firewall/input + # Download a startup script + local script="$(get instance/metadata/user_data)" + + # Try to decode this + script="$(try_base64_decode "${script}")" + + # Execute the script + if [ "${script:0:2}" = "#!" ]; then + echo "${script}" > /tmp/user-data.script + chmod 700 /tmp/user-data.script + + # Run the script + local now="$(date -u +"%s")" + /tmp/user-data.script &>/var/log/user-data.log.${now} + + # Delete the script right away + rm /tmp/user-data.script + fi + # This script has now completed the first steps of setup touch /var/ipfire/main/firstsetup_ok fi -- 2.30.2

3 5

[PATCH] xfsprogs: Update to version 5.18.0
by Adolf Belka 23 Jun '22

23 Jun '22

- Update from version 5.16.0 to 5.18.0 - Update of rootfile not required - Changelog Release v5.18.0 xfsprogs: more autoconf modernisation Release v5.18.0-rc1 mkfs: Fix memory leak xfsprogs: autoconf modernisation xfs_io: add a quiet option to bulkstat metadump: be careful zeroing corrupt inode forks metadump: handle corruption errors without aborting xfs_db: take BB cluster offset into account when using 'type' cmd xfs_scrub: don't revisit scanned inodes when reprocessing a stale inode xfs_scrub: balance inode chunk scan across CPUs xfs_scrub: prepare phase3 for per-inogrp worker threads xfs_scrub: widen action list length variables xfs_scrub: in phase 3, use the opened file descriptor for repair calls xfs_scrub: make phase 4 go straight to fstrim if nothing to fix xfs_scrub: don't try any file repairs during phase 3 if AG metadata bad xfs_scrub: fall back to scrub-by-handle if opening handles fails xfs_scrub: in phase 3, use the opened file descriptor for scrub calls xfs_scrub: collapse trivial file scrub helpers xfs_repair: check the ftype of dot and dotdot directory entries xfs_repair: improve error reporting when checking rmap and refcount btrees xfs_repair: detect v5 featureset mismatches in secondary supers mkfs: don't trample the gid set in the protofile mkfs: round log size down if rounding log start up causes overflow mkfs: improve log extent validation mkfs: don't let internal logs bump the root dir inode chunk to AG 1 mkfs: reduce internal log size when log stripe units are in play mkfs: fix missing validation of -l size against maximum internal log size xfs_repair: fix sizing of the incore rt space usage map calculation xfs_db: report absolute maxlevels for each btree type xfs_db: support computing btheight for all cursor types xfs_repair: warn about suspicious btree levels in AG headers xfs_db: warn about suspicious finobt trees when metadumping xfs: note the removal of XFS_IOC_FSSETDM in the documentation xfs_db: fix a complaint about a printf buffer overrun xfs_scrub: move to mallinfo2 when available debian: support multiarch for libhandle debian: bump compat level to 11 debian: refactor common options Release v5.18.0-rc0 mm/fs: delete PF_SWAPWRITElibxfs-5.18-sync xfs: document the XFS_ALLOC_AGFL_RESERVE constant xfs: constify xfs_name_dotdot xfs: constify the name argument to various directory functions xfs: remove the XFS_IOC_{ALLOC,FREE}SP* definitions xfs: remove the XFS_IOC_FSSETDM definitions xfs: pass the mapping flags to xfs_bmbt_to_iomap Release v5.16.0 libxfs: remove kernel stubs from xfs_shared.h debian: Generate .gitcensus instead of .census (Closes: #999743) Release v5.16.0-rc0 xfs: Fix the free logic of state in xfs_attr_node_hasname xfs: #ifdef out perag code for userspace xfs: use swap() to make dabtree code cleaner xfs: remove unused parameter from refcount code xfs: reduce the size of struct xfs_extent_free_item xfs: rename xfs_bmap_add_free to xfs_free_extent_later xfs: create slab caches for frequently-used deferred items xfs: compact deferred intent item structures xfs: rename _zone variables to _cache xfs: remove kmem_zone typedef xfs: use separate btree cursor cache for each btree type xfs: compute absolute maximum nlevels for each btree type xfs: kill XFS_BTREE_MAXLEVELS xfs_repair: stop using XFS_BTREE_MAXLEVELS xfs_db: stop using XFS_BTREE_MAXLEVELS xfs: compute the maximum height of the rmap btree when reflink enabled xfs: clean up xfs_btree_{calc_size,compute_maxlevels} xfs: compute maximum AG btree height for critical reservation calculation xfs: rename m_ag_maxlevels to m_allocbt_maxlevels xfs: dynamically allocate cursors based on maxlevels xfs: encode the max btree height in the cursor xfs: refactor btree cursor allocation function xfs: rearrange xfs_btree_cur fields for better packing xfs: prepare xfs_btree_cur for dynamic cursor heights xfs: reduce the size of nr_ops for refcount btree cursors xfs: remove xfs_btree_cur.bc_blocklog xfs: fix perag reference leak on iteration race with growfs xfs: terminate perag iteration reliably on agcount xfs: rename the next_agno perag iteration variable xfs: fold perag loop iteration logic into helper function xfs: remove the xfs_dqblk_t typedef xfs: remove the xfs_dsb_t typedef xfs: remove the xfs_dinode_t typedef xfs: check that bc_nlevels never overflows xfs: remove xfs_btree_cur_t typedef xfs: fix maxlevels comparisons in the btree staging code xfs: port the defer ops capture and continue to resource capture xfs: formalize the process of holding onto resources across a defer roll xfs: use kmem_cache_free() for kmem_cache objects xfs_repair: fix AG header btree level comparisons xfs_db: fix metadump level comparisons Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- lfs/xfsprogs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/xfsprogs b/lfs/xfsprogs index fb2047800..b9ea1f694 100644 --- a/lfs/xfsprogs +++ b/lfs/xfsprogs @@ -24,7 +24,7 @@ include Config -VER = 5.16.0 +VER = 5.18.0 THISAPP = xfsprogs-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = da328fe0c146a7b8ba866c5872f26ce95010939e05da51c73ed6374f00474605a81f4a822d65b60a132a4de47fff286e9f5f1ac809c1aa29420633f573b61aef +$(DL_FILE)_BLAKE2 = a2a2835d53ee6ac55279636f3f3cdcecab8757911ce5c1ea5f350a4da9ff4c1ca64b2aba1c0e5424c0c0a01fd0504396d5fecca12e4689c372ed5bb76b9ac24e install : $(TARGET) -- 2.36.1

2 1

Various mount options have changed in Core Update 169
by Peter Müller 23 Jun '22

23 Jun '22

Hello *, while pre-testing Core Update 169, it came to my attention that, for some reason, various mount options have changed since Core Update 168, lacking options such as "nodev", "noexec", "nosuid", which means a security downgrade. The complete delta is as follows: $ diff -Naur before after --- before 2022-06-20 20:04:32.436632074 +0000 +++ after 2022-06-20 20:04:34.500401575 +0000 @@ -1,12 +1,12 @@ -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) /dev/sda1 on /boot type ext4 (rw,relatime) /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro) /dev/sda4 on / type ext4 (rw,relatime) -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755) +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755) efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime) none on /sys/fs/cgroup type cgroup2 (rw,relatime) -/proc on /proc type proc (rw,relatime) -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755) -/sys on /sys type sysfs (rw,relatime) -tmpfs on /dev/shm type tmpfs (rw,relatime) +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec) +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755) /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k) I cannot recall of having this explicitly changed anywhere, and don't understand the root cause for this (unwanted) change. Could somebody please point me into the right direction? :-) Thanks in advance, and best regards, Peter Müller

2 4

[PATCH] sudo: Update to version 1.9.11p3
by Adolf Belka 23 Jun '22

23 Jun '22

- Update from version 1.9.10 to 1.9.11p3 - Update of rootfile required - Changelog What's new in Sudo 1.9.11p3 * Fixed "connection reset" errors on AIX when running shell scripts with the "intercept" or "log_subcmds" sudoers options enabled. Bug #1034. * Fixed very slow execution of shell scripts when the "intercept" or "log_subcmds" sudoers options are set on systems that enable Nagle's algorithm on the loopback device, such as AIX. Bug #1034. What's new in Sudo 1.9.11p2 * Fixed a compilation error on Linux/x86_64 with the x32 ABI. * Fixed a regression introduced in 1.9.11p1 that caused a warning when logging to sudo_logsrvd if the command returned no output. What's new in Sudo 1.9.11p1 * Correctly handle EAGAIN in the I/O read/right events. This fixes a hang seen on some systems when piping a large amount of data through sudo, such as via rsync. Bug #963. * Changes to avoid implementation or unspecified behavior when bit shifting signed values in the protobuf library. * Fixed a compilation error on Linux/aarch64. * Fixed the configure check for seccomp(2) support on Linux. * Corrected the EBNF specification for tags in the sudoers manual page. GitHub issue #153. What's new in Sudo 1.9.11 * Fixed a crash in the Python module with Python 3.9.10 on some systems. Additionally, "make check" now passes for Python 3.9.10. * Error messages sent via email now include more details, including the file name and the line number and column of the error. Multiple errors are sent in a single message. Previously, only the first error was included. * Fixed logging of parse errors in JSON format. Previously, the JSON logger would not write entries unless the command and runuser were set. These may not be known at the time a parse error is encountered. * Fixed a potential crash parsing sudoers lines larger than twice the value of LINE_MAX on systems that lack the getdelim() function. * The tests run by "make check" now unset the LANGUAGE environment variable. Otherwise, localization strings will not match if LANGUAGE is set to a non-English locale. Bug #1025. * The "starttime" test now passed when run under Debian faketime. Bug #1026. * The Kerberos authentication module now honors the custom password prompt if one has been specified. * The embedded copy of zlib has been updated to version 1.2.12. * Updated the version of libtool used by sudo to version 2.4.7. * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE in the header files (currently only GNU libc). This is required to allow the use of 64-bit time values on some 32-bit systems. * Sudo's "intercept" and "log_subcmds" options no longer force the command to run in its own pseudo-terminal. It is now also possible to intercept the system(3) function. * Fixed a bug in sudo_logsrvd when run in store-first relay mode where the commit point messages sent by the server were incorrect if the command was suspended or received a window size change event. * Fixed a potential crash in sudo_logsrvd when the "tls_dhparams" configuration setting was used. * The "intercept" and "log_subcmds" functionality can now use ptrace(2) on Linux systems that support seccomp(2) filtering. This has the advantage of working for both static and dynamic binaries and can work with sudo's SELinux RBAC mode. The following architectures are currently supported: i386, x86_64, aarch64, arm, mips (log_subcmds only), powerpc, riscv, and s390x. The default is to use ptrace(2) where possible; the new "intercept_type" sudoers setting can be used to explicitly set the type. * New Georgian translation from translationproject.org. * Fixed creating packages on CentOS Stream. * Fixed a bug in the intercept and log_subcmds support where the execve(2) wrapper was using the current environment instead of the passed environment pointer. Bug #1030. * Added AppArmor integration for Linux. A sudoers rule can now specify an APPARMOR_PROFILE option to run a command confined by the named AppArmor profile. * Fixed parsing of the "server_log" setting in sudo_logsrvd.conf. Non-paths were being treated as paths and an actual path was treated as an error. Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/rootfiles/common/sudo | 3 ++- lfs/sudo | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/sudo b/config/rootfiles/common/sudo index 1cb0d2bf7..93d9cbce2 100644 --- a/config/rootfiles/common/sudo +++ b/config/rootfiles/common/sudo @@ -80,6 +80,7 @@ usr/sbin/visudo #usr/share/locale/it/LC_MESSAGES/sudoers.mo #usr/share/locale/ja/LC_MESSAGES/sudo.mo #usr/share/locale/ja/LC_MESSAGES/sudoers.mo +#usr/share/locale/ka/LC_MESSAGES/sudo.mo #usr/share/locale/ko/LC_MESSAGES/sudo.mo #usr/share/locale/ko/LC_MESSAGES/sudoers.mo #usr/share/locale/lt/LC_MESSAGES/sudoers.mo @@ -120,11 +121,11 @@ usr/sbin/visudo #usr/share/man/man5/sudo.conf.5 #usr/share/man/man5/sudo_logsrv.proto.5 #usr/share/man/man5/sudo_logsrvd.conf.5 +#usr/share/man/man5/sudo_plugin.5 #usr/share/man/man5/sudoers.5 #usr/share/man/man5/sudoers_timestamp.5 #usr/share/man/man8/sudo.8 #usr/share/man/man8/sudo_logsrvd.8 -#usr/share/man/man8/sudo_plugin.8 #usr/share/man/man8/sudo_sendlog.8 #usr/share/man/man8/sudoedit.8 #usr/share/man/man8/sudoreplay.8 diff --git a/lfs/sudo b/lfs/sudo index 4d73db639..ce9649d79 100644 --- a/lfs/sudo +++ b/lfs/sudo @@ -24,7 +24,7 @@ include Config -VER = 1.9.10 +VER = 1.9.11p3 THISAPP = sudo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 94d97379e31b41917616a829cbece3d3fce7dd6ab9d04791b928981c14249c306508298655c19dc59a054ccf7deed4e69e65367cbfe9f6d8b5aba8895cfa6064 +$(DL_FILE)_BLAKE2 = f8508f65b514abd9979a11628d8bc0e085b2625993281e7d1f8794a576e88970bda6939d2f2f50d9485f00276970aba3489b19c102eca5625e389c9610f338dd install : $(TARGET) -- 2.36.1

2 1

[PATCH] Ship NTP changes
by Jon Murphy 20 Jun '22

20 Jun '22

- Device time more accurate. (e.g., +/- 10 seconds per day to < 100 ms on some devices) ( I know we don't need the perfect time server ) - NTP and time will be accurate in manual mode (setting on Time Server > NTP Configuration WebGUI) - Change NTP "prefer" server: - The current preferred NTP server in an Undisciplined Local Clock. - This is intended when no outside source of synchronized time is available. - Change the "prefer" server from 127.127.1.0 to the Primary NTP server specified on the Time Server > NTP Configuration WebGUI page. - Change allows the drift file (located at /etc/ntp/drift) to be populated by ntpd. - The drift file is updated about once per hour which helps correct the device time. Signed-off-by: Jon Murphy <jon.murphy(a)ipfire.org> --- config/ntp/ntp.conf | 3 ++- src/initscripts/system/ntp | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config/ntp/ntp.conf b/config/ntp/ntp.conf index 9e393ca8e..bcaf2ee9e 100644 --- a/config/ntp/ntp.conf +++ b/config/ntp/ntp.conf @@ -1,6 +1,7 @@ disable monitor restrict default nomodify noquery restrict 127.0.0.1 -server 127.127.1.0 prefer +server 127.127.1.0 fudge 127.127.1.0 stratum 10 driftfile /etc/ntp/drift +includefile /etc/ntp/ntpInclude.conf diff --git a/src/initscripts/system/ntp b/src/initscripts/system/ntp index 74b8bc86a..6c8174d25 100644 --- a/src/initscripts/system/ntp +++ b/src/initscripts/system/ntp @@ -52,6 +52,8 @@ case "$1" in fi fi + echo -e "server ${NTP_ADDR_1} prefer\nserver ${NTP_ADDR_2}" > /etc/ntp/ntpInclude.conf + boot_mesg "Starting ntpd..." loadproc /usr/bin/ntpd -Ap /var/run/ntpd.pid ;; -- 2.30.2

4 10

List of available updates incomplete for "unstable" tree
by Peter Müller 20 Jun '22

20 Jun '22

Hello Michael, in conjunction with upcoming Core Update 169, I just noticed that my testing machine shows both the Core Update itself and lynis as available updates, but not Tor, which has been recently updated in the "next" branch. I presume this is due to uploading and/or signing of nightly build packages only performed on a regular interval, not triggered by commits or successful builds. To ensure I am not mistaken on that front, however, I would be glad for a clarification. :-) All the best, Peter Müller

2 2

IPFire Wiki error message
by Adolf Belka 20 Jun '22

20 Jun '22

Hi All, For information, the IPFire Wiki is coming up with the Error 500 oops, something went wrong message. Regards, Adolf -- Sent from my laptop

1 0

[PATCH] perl-Encode-Locale: New module dependency for LWP::UserAgent
by Adolf Belka 19 Jun '22

19 Jun '22

- UserAgent.pm now has a dependency on Encode/Locale.pm - lfs and rootfile created - Module added to make.sh Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/rootfiles/common/perl-Encode-Locale | 6 ++ lfs/perl-Encode-Locale | 79 ++++++++++++++++++++++ make.sh | 1 + 3 files changed, 86 insertions(+) create mode 100644 config/rootfiles/common/perl-Encode-Locale create mode 100644 lfs/perl-Encode-Locale diff --git a/config/rootfiles/common/perl-Encode-Locale b/config/rootfiles/common/perl-Encode-Locale new file mode 100644 index 000000000..b3c4d8fb7 --- /dev/null +++ b/config/rootfiles/common/perl-Encode-Locale @@ -0,0 +1,6 @@ +#usr/lib/perl5/site_perl/5.32.1/Encode +usr/lib/perl5/site_perl/5.32.1/Encode/Locale.pm +#usr/lib/perl5/site_perl/5.32.1/x86_64-linux-thread-multi/auto/Encode +#usr/lib/perl5/site_perl/5.32.1/x86_64-linux-thread-multi/auto/Encode/Locale +#usr/lib/perl5/site_perl/5.32.1/x86_64-linux-thread-multi/auto/Encode/Locale/.packlist +#usr/share/man/man3/Encode::Locale.3 diff --git a/lfs/perl-Encode-Locale b/lfs/perl-Encode-Locale new file mode 100644 index 000000000..a51208971 --- /dev/null +++ b/lfs/perl-Encode-Locale @@ -0,0 +1,79 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see <http://www.gnu.org/licenses/>. # +# # +############################################################################### + + +############################################################################### +# Definitions +############################################################################### +include Config +VER = 1.05 + +THISAPP = Encode-Locale-$(VER) +DL_FILE = ${THISAPP}.tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_BLAKE2 = f66bac8ebf012e7673b344b3899bed755558b80833a68b009b6083aeadd9d69748a63bee4e5e3c20dffaf7f2551fd6c9c778273ae992752c426e081d35715dee + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +b2 : $(subst %,%_BLAKE2,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, b2sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_BLAKE2,$(objects)) : + @$(B2SUM) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && perl Makefile.PL + cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 2a4f6d0bd..dd84cdc99 100755 --- a/make.sh +++ b/make.sh @@ -1373,6 +1373,7 @@ buildipfire() { lfsmake2 perl-Digest lfsmake2 perl-Digest-SHA1 lfsmake2 perl-Digest-HMAC + lfsmake2 perl-Encode-Locale lfsmake2 perl-libwww lfsmake2 perl-LWP-Protocol-https lfsmake2 perl-Net-HTTP -- 2.36.1

3 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development June 2022