Development November 2023

development@lists.ipfire.org

11 participants
46 discussions

[PATCH] Tor: Update to 0.4.8.9
by Peter Müller 22 Nov '23

22 Nov '23

Changes in version 0.4.8.9 - 2023-11-09 This is another security release fixing a high severity bug affecting onion services which is tracked by TROVE-2023-006. We are also releasing a guard major bugfix as well. If you are an onion service operator, we strongly recommend to update as soon as possible. o Major bugfixes (guard usage): - When Tor excluded a guard due to temporary circuit restrictions, it considered *additional* primary guards for potential usage by that circuit. This could result in more than the specified number of guards (currently 2) being used, long-term, by the tor client. This could happen when a Guard was also selected as an Exit node, but it was exacerbated by the Conflux guard restrictions. Both instances have been fixed. Fixes bug 40876; bugfix on 0.3.0.1-alpha. o Major bugfixes (onion service, TROVE-2023-006): - Fix a possible hard assert on a NULL pointer when recording a failed rendezvous circuit on the service side for the MetricsPort. Fixes bug 40883; bugfix on 0.4.8.1-alpha o Minor features (fallbackdir): - Regenerate fallback directories generated on November 09, 2023. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2023/11/09. Changes in version 0.4.8.8 - 2023-11-03 We are releasing today a fix for a high security issue, TROVE-2023-004, that is affecting relays. Also a few minor bugfixes detailed below. Please upgrade as soon as posssible. o Major bugfixes (TROVE-2023-004, relay): - Mitigate an issue when Tor compiled with OpenSSL can crash during handshake with a remote relay. Fixes bug 40874; bugfix on 0.2.7.2-alpha. o Minor features (fallbackdir): - Regenerate fallback directories generated on November 03, 2023. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2023/11/03. o Minor bugfixes (directory authority): - Look at the network parameter "maxunmeasuredbw" with the correct spelling. Fixes bug 40869; bugfix on 0.4.6.1-alpha. o Minor bugfixes (vanguards addon support): - Count the conflux linked cell as valid when it is successfully processed. This will quiet a spurious warn in the vanguards addon. Fixes bug 40878; bugfix on 0.4.8.1-alpha. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- lfs/tor | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/tor b/lfs/tor index 7a9ca4128..cf0ccaf9e 100644 --- a/lfs/tor +++ b/lfs/tor @@ -26,7 +26,7 @@ include Config SUMMARY = Anonymizing overlay network for TCP (The onion router) -VER = 0.4.8.7 +VER = 0.4.8.9 THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 81 +PAK_VER = 82 DEPS = libseccomp @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 4d0cde752a729c64e380663e4438398fe768a8657e9aa3246bdf0ec9a4b4e01e277cb594ae0cb44cc66ea8c6080f2e58c6daf1bf01dc51b678d228e8e38fc971 +$(DL_FILE)_BLAKE2 = a2d8cc8e60f162930d64d191af1893cb4060a8d98c16560c9ba30e0a9a0fd9cce2132573ca4db7b8b6e002f127f06b53fc5aea5fb6e8795c10f73671d14d9190 install : $(TARGET) -- 2.35.3

2 1

[PATCH] strongswan: Update to version 5.9.12
by Adolf Belka 22 Nov '23

22 Nov '23

- Update from version 5.9.11 to 5.9.12 - Update of rootfile - Changelog 5.9.12 Vulnerabilities Fixed a vulnerability in charon-tkm (the TKM-backed version of the charon IKE daemon) related to processing DH public values that can lead to a buffer overflow and potentially remote code execution. This vulnerability has been registered as CVE-2023-41913. Please refer to our blog for details. New Feature Additions The new pki --ocsp command produces OCSP responses based on certificate status information provided by implementations of the new ocsp_responder_t interface (#1958). Two sources are currently available, the openxpki plugin that directly accesses the OpenXPKI database and the command's --index argument, which reads certificate status information from OpenSSL-style index.txt files (multiple CAs are supported concurrently). The new cert-enroll script handles the initial enrollment of an X.509 host certificate with a PKI server via the EST or SCEP protocols. Run as a systemd timer or via a crontab entry, the script checks the expiration date of the host certificate daily. When a given deadline is reached, the host certificate is automatically renewed via EST or SCEP re-enrollment based on the possession of the old private key and the matching certificate. Added a global option (charon.reject_trusted_end_entity) to prevent peers from authenticating with certificates that are locally trusted, in particular, our own local certificate, which safeguards against accidental reuse of certificates on multiple peers. As the name suggests, all trusted end-entity certificates are rejected if enabled, so peer certificates can't be configured explicitly anymore (e.g. via remote.certs in swanctl.conf). The --priv argument for charon-cmd allows the use of any type of private key (previously, only RSA keys were supported). The openssl plugin now supports the nameConstraints extension in X.509 certificates (#1990). Support for nameConstraints of type iPAddress are now supported by the x509, openssl and constraints plugins (#1991). Support for encoding subjectAlternativeName extensions of type uniformResourceIdentifier in X.509 certificates has been added via the uri: prefix (e.g. for URNs, #1983). Support for password-less PKCS#12 and PKCS#8 files has been added (#1955). Enhancements and Optimizations Because of a relatively recent NIAP requirement (TD0527, Test 8b), loading of certificates with ECDSA keys that explicitly encode the curve parameters is rejected if possible. Explicit encoding is pretty rare to begin with and e.g. wolfSSL already rejects such keys, by default. All crypto plugins that support ECDSA enforce this by rejecting such public keys, except when using older versions of OpenSSL (< 1.1.1h) or Botan (< 3.2.0) (#1949). Make the NetworkManager plugin (charon-nm) actually use the XFRM interface it creates since 5.9.10. This involves setting interface IDs on SAs and policies, and installing routes via the interface. To avoid routing loops if the remote traffic selectors include the VPN server, IKE and ESP packets are marked to bypass the routing table that contains the routes via XFRM interface (69e0c11). If available, the plugin now also adopts the interface name configured in connection.interface-name in a *.nmconnection file as name for the XFRM interface instead of generating one randomly (e8f8d32). The resolve plugin tries to maintain the order of DNS servers it installs via resolvconf or resolv.conf (6440975, 8238ad4). The kernel-libipsec plugin now always installs routes to remote networks even if no address is found in the local traffic selectors, which allows forwarding traffic from networks the VPN host is not part of (190d8cb). Increased the default receive buffer size for Netlink sockets to 8 MiB (doubled by the kernel to account for overhead) and simplified the configuration (no need for a separate option to force overriding rmem_max). It's now also set for event sockets, which previously could cause issues on hosts with e.g. lots of route changes (#1757). When issuing certificates, the subjectKeyIdentifier of the issuing certificate, if available, is now copied as authorityKeyIdentifier, instead of always generating a SHA-1 hash of the issuer's subjectPublicKey (#1992, 6941dcb). Explicitly request permission to display notifications on Android 13+ (ddf84c1), also enabled hardware acceleration for the Android-specific OpenSSL build. Fixes Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with unrelated traffic selectors (#1855). Fixed an issue in watcher_t with handling errors on sockets (e.g. if the receive buffer is full), which caused an infinite loop if poll() only signaled POLLERR as event (#1757). Fixed an issue in the IKE_SA_INIT tracking code that was added with 5.9.6, which did not correctly untrack invalid messages with non-zero message IDs or SPIs (0b47357). Fixed a regression introduced with 5.9.8 when handling IKE redirects during IKE_AUTH (595fa07). Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs in the kernel-netlink plugin, which prevented MOBIKE updates if a large anti-replay window was used (#1967). Fixed a race condition in the kernel-pfroute plugin when adding virtual IPs if the TUN device is activated after the address was already added internally, which caused the installed route not to go via TUN device in order to force the virtual IP as source address (#1807). Fixed an issue in libtls that could cause the wrong ECDH group to get instantiated (b5e4bf4). Fixed the encoding of the CHILD_SA_NOT_FOUND notify if a CHILD_SA is not found during rekeying. It was previously empty, now contains the SPI and sets the protocol to the values received in the REKEY_SA notify (849c2c9). Fixed a possible issue with MOBIKE in the Android client on certain devices (#1691). For Developers The new ocsp_responder_t interface can be implemented to provide certificate status information to the pki --ocsp command. Responders can be (un-)registered via the ocsp_responders_t instance at lib->ocsp. For the watcher_t component, WATCHER_EXCEPT has been removed as there is no way to explicitly listen for errors on sockets and poll() actually can return POLLERR for any FD and it might even be the only signaled event (which caused an infinite loop previously). Now we simply notify the registered callbacks. The error is then reported by e.g. recvfrom(), which was already the case before if POLLERR was returned together with e.g. POLLIN. The reqids allocated for CHILD_SAs (including trap policies) via kernel_interface_t::alloc_reqid() are now refcounted. When recreating a CHILD_SA, a reference to the reqid can be requested via child_sa_t::get_reqid_ref(). If another reference is required afterwards, one can be acquired directly via kernel_interface_t::ref_reqid(). Each reference has to be released via kernel_interface_t::release_reqid(), whose interface was simplified. The testing environment is now based on Debian 12 (bookworm), by default. Also, when copying files to guests, the guest-specific files are now copied after the default files, which allows overriding files per guest (fixes an issue with winnetou's /etc/fstab and mounting the test results). Refer to the 5.9.12 milestone for a list of all closed issues and pull requests. Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/rootfiles/common/strongswan | 1 + lfs/strongswan | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 22adf24b4..a5f256e02 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -181,6 +181,7 @@ usr/sbin/swanctl #usr/share/man/man1/pki---gen.1 #usr/share/man/man1/pki---issue.1 #usr/share/man/man1/pki---keyid.1 +#usr/share/man/man1/pki---ocsp.1 #usr/share/man/man1/pki---pkcs7.1 #usr/share/man/man1/pki---print.1 #usr/share/man/man1/pki---pub.1 diff --git a/lfs/strongswan b/lfs/strongswan index 357283b15..9496d05dd 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 5.9.11 +VER = 5.9.12 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = e8e84d79d1530b9a968ce8429fec0e7b3fcf19b75fdbd4371a38763d8564d5b37d012769006330b5c94cff3e914acb1b1a3e2829749effb8c35f9e5d775be491 +$(DL_FILE)_BLAKE2 = 40f80162970152bca028a9af6b37c4c6e2ef38e75f88b92bf03f18641dadacbc574441e74cd0c7abb49ce4c15d9b82301aa90cb07c4fd223bf83163ebfbc2381 install : $(TARGET) -- 2.42.1

2 1

[PATCH 2/2] dhcp.cgi: Add column with resolved hostname by IP address
by Sebastien GISLAIN 17 Nov '23

17 Nov '23

In web interface, on page DHCP Server, in table Current fixed leases, add column with resolved hostname by IP address --- html/cgi-bin/dhcp.cgi | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/dhcp.cgi b/html/cgi-bin/dhcp.cgi index aabf565d7..b87da6907 100755 --- a/html/cgi-bin/dhcp.cgi +++ b/html/cgi-bin/dhcp.cgi @@ -1008,9 +1008,9 @@ END print <<END <table width='100%' class='tbl'> <tr> - <th width='20%' align='center'><a href='$ENV{'SCRIPT_NAME'}?FETHER'>$Lang::tr{'mac address'}</a></th> - <th width='20%' align='center'><a href='$ENV{'SCRIPT_NAME'}?FIPADDR'>$Lang::tr{'ip address'}</a></th> - <th width='20%' align='center'>$Lang::tr{'hostname'}</a></th> + <th width='15%' align='center'><a href='$ENV{'SCRIPT_NAME'}?FETHER'>$Lang::tr{'mac address'}</a></th> + <th width='10%' align='center'><a href='$ENV{'SCRIPT_NAME'}?FIPADDR'>$Lang::tr{'ip address'}</a></th> + <th width='15%' align='center'>$Lang::tr{'hostname'}</th> <th width='15%' align='center'>$Lang::tr{'remark'}</th> <th width='15%' class='boldbase' align='center'>next-server</th> <th width='15%' class='boldbase' align='center'>filename</th> @@ -1111,7 +1111,7 @@ foreach my $line (@current2) { # resolved name (if exists) my $iaddr = inet_aton($temp[1]); my $rname = gethostbyaddr($iaddr, AF_INET); - if (!$rname || $rname eq "") { $rname = $Lang::tr{'lookup failed'}; } + if (!$rname || $rname eq "") { $rname = $Lang::tr{'ptr lookup failed'}; } print <<END <td align='center' $col>$TAG2$temp[0]$TAG3</td> <td align='center' $TAG4 $col>$TAG0$temp[1]$TAG1</td> -- 2.39.2

3 2

Re: minidlna: WUI page
by Adolf Belka 17 Nov '23

17 Nov '23

Hi Bailey, Sorry for the delay in response, I have been a bit busy with non IPfire related things. On 11/11/2023 12:07, Bailey Calder wrote: > Hi Adolf > > > Could i make a new web interface for managing the firewall? As you have sent your question to a patch about minidlna, I am presuming you mean that you want to create a WUI page for minidlna. You can definitely do that. The following link shows the locations of the menu definitions. Those starting with EX are the ones related to addons. https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=config/menu;h=a6059593bdd… mpfire and samba could be used as examples. Also look at the involved lfs, rootfiles and cgi files for those two as examples of how to approach the creation of a WUI page for minidlna, so you can make sure it is in line with the expected approach by the IPFire devs when you want to submit your patch set. Best regards, Adolf. > > > Thanks > > Bailey >

1 0

Status update on openvpn work
by Adolf Belka 17 Nov '23

17 Nov '23

Hi All, Over the last week I have been working on the openvpn update using Erik's previous patches as my starting point. My first attempt to try and be able to understand the changes from each patch to figure out what I needed to do proved difficult for me to work with. What I then did was take the current ovpnmain.cgi and apply all of Erik's patches to it. Then I have gone through that new version of ovpnmain.cgi and made the changes based on previous discussions with Michael. So I have removed the b2sum options that were present for the Data and Channel Authentication. I also moved all the cryptographic options from an additional advanced cryptographic options button into the Advanced Server options button. I was successful in doing all the above and then tested the ovpnmain.cgi out with a vm using the existing openvpn-2.5.9 version for openvpn. My old profile for my laptop which had a ciphers entry worked without any problem. My laptop was working withy openvpn-2.6.6 I then created a new profile using the new ovpnmain.cgi using the negotiation option which ended up with a data-ciphers line. That also worked in making a successful openvpn tunnel with my laptop without any issues. I then downgraded my laptop to openvpn-2.4.8 and had to install openvpn-1.1.1 to make that work. With that client version on my laptop both the old and new profiles connected with a tunnel with no problems. I then tried downgrading my laptop to openvpn-2.3.14 but to make this work I would have had to downgrade the laptop to openssl-1.0.0 which I was not willing to do as that is very old and very insecure. The oldest openvpn version working with openssl-1.1.1 is 2.4.0 which is nearly 7 years old. That version also worked with both the old and new laptop profiles. I then tested out the openvpn server on my IPFire vm with a 2.6.0 and 2.6.6 version of openvpn. Both these openvpn versions worked with both the old and new laptop connection profiles with my laptop on version 2.4.0 and on 2.6.6 All the above was using network manager with its openvpn plugin option on the laptop for making the openvpn tunnel connections. As far as I can tell everything is working fine when negotiation is specified on the server. Old profiles that just use the cipher option also work fine. Therefore my plan is to only use the negotiation option and not make it selectable for older clients. The data-ciphers-fallback option in the server seems to be doing its job. The negotiation option on the server was able to connect to a 2.4.0 client on my laptop. According to the OpenVPN wiki on cipher negotiation the data-ciphers-fallback option will work with 2.4.x and 2.3.x clients. As the 2.3.x clients need to be using openssl-1.0.0 then I think if those clients work then fine but nothing further back. Overall, I am very happy with what I have succeeded in doing so far. I achieved things much quicker than I had expected. I will now try and see about creating a profile on a CU 179 based system that uses one of the old insecure ciphers such as Blow Fish and restore that into my evaluation vm and see how that works with my laptop when I have it downgraded to openvpn-2.4.0 I already know that if the laptop is at openvpn-2.6.6 then it will not accept a blowfish cipher (or another weak cipher such as DES) as that is something I tested in the past. If that also works then my plan will be to take the updated ovpnmain.cgi and split the changes into a new range of patches and then submit them for consideration. That will probably end up later in November as I will be busy with personal things at the end of October / beginning of November. Regards, Adolf.

3 42

[PATCH v2] minidlna: Update to version 1.3.3
by Adolf Belka 11 Nov '23

11 Nov '23

- v2 version corrects name in subject line - Update from version 1.3.2 to 1.3.3 - Update of rootfile not required - Changelog 1.3.3 - Released 1-Jun-2023 - Fixed HTTP chunk length parsing. - Improved Dutch and Swedish translations. - Fixed directory symlink deletion handling. Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- lfs/minidlna | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/minidlna b/lfs/minidlna index d0422c08a..55941bea8 100644 --- a/lfs/minidlna +++ b/lfs/minidlna @@ -26,7 +26,7 @@ include Config SUMMARY = DLNA compatible server -VER = 1.3.2 +VER = 1.3.3 THISAPP = minidlna-$(VER) DL_FILE = minidlna-$(VER).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = minidlna -PAK_VER = 13 +PAK_VER = 14 DEPS = ffmpeg flac libexif libid3tag libogg @@ -50,7 +50,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = e35266be94e4585f399c80a6909318ce973d443506f6becdacdb00802ed0ce060ebf8401ff1b5dfef0b451f609d98f805c80b9a0c87e23d14084338047418620 +$(DL_FILE)_BLAKE2 = 489b7ecb54a20f6111a65388ad2c52d477164046131af490cbcef7cd3ff2b841644f549bcad708ea6d4548f4111d5b2b63bafc0f079edf160467b85c682cbc5b install : $(TARGET) -- 2.42.1

1 0

[PATCH 1/2] Add column with resolved hostname by IP address
by Sebastien GISLAIN 11 Nov '23

11 Nov '23

From: Sebastien GISLAIN <sebastien.gislain(a)gmail.com> --- html/cgi-bin/dhcp.cgi | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/html/cgi-bin/dhcp.cgi b/html/cgi-bin/dhcp.cgi index f45703f0b..aabf565d7 100755 --- a/html/cgi-bin/dhcp.cgi +++ b/html/cgi-bin/dhcp.cgi @@ -21,6 +21,7 @@ use strict; use experimental 'smartmatch'; +use IO::Socket; # enable only the following on debugging purpose #use warnings; @@ -1009,6 +1010,7 @@ print <<END <tr> <th width='20%' align='center'><a href='$ENV{'SCRIPT_NAME'}?FETHER'>$Lang::tr{'mac address'}</a></th> <th width='20%' align='center'><a href='$ENV{'SCRIPT_NAME'}?FIPADDR'>$Lang::tr{'ip address'}</a></th> + <th width='20%' align='center'>$Lang::tr{'hostname'}</a></th> <th width='15%' align='center'>$Lang::tr{'remark'}</th> <th width='15%' class='boldbase' align='center'>next-server</th> <th width='15%' class='boldbase' align='center'>filename</th> @@ -1106,9 +1108,14 @@ foreach my $line (@current2) { $TAG4 = "class='red'" if ($dhcpsettings{'KEY2'} ne $key); } + # resolved name (if exists) + my $iaddr = inet_aton($temp[1]); + my $rname = gethostbyaddr($iaddr, AF_INET); + if (!$rname || $rname eq "") { $rname = $Lang::tr{'lookup failed'}; } print <<END <td align='center' $col>$TAG2$temp[0]$TAG3</td> <td align='center' $TAG4 $col>$TAG0$temp[1]$TAG1</td> +<td align='center' $col>$rname </td> <td align='center' $col>$temp[6] </td> <td align='center' $col>$temp[3] </td> <td align='center' $col>$temp[4] </td> -- 2.39.2

1 0

[PATCH] unbound: Update to 1.19.0
by Matthias Fischer 10 Nov '23

10 Nov '23

For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0 Again: Changelog is IMHO too long to be published here... Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/unbound | 2 +- lfs/unbound | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index f8463f9e8..78c5a31ae 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.8 -usr/lib/libunbound.so.8.1.22 +usr/lib/libunbound.so.8.1.23 #usr/lib/pkgconfig/libunbound.pc usr/sbin/unbound usr/sbin/unbound-anchor diff --git a/lfs/unbound b/lfs/unbound index 5fd114ccf..22bb2e1ce 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@ include Config -VER = 1.18.0 +VER = 1.19.0 THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 55f68cdb08281adaa7446f9b284d850e5e0cbbcbeda98609d9f8297d1bb298fcba51fa0a0805df5acc0a475397c65d295a33ae26144cdafbedb9686915dd174b +$(DL_FILE)_BLAKE2 = 66ec2b1cd32ac5930c088c73e884bc1fb4d35526a0c89bdbe209defd3e78326ce9b3c1a523fc1ab28b8fdf0e457280d5de7b300cf560c15d875f460bc361f5c7 install : $(TARGET) -- 2.34.1

2 1

[PATCH] squid: Update to 6.5
by Matthias Fischer 10 Nov '23

10 Nov '23

For details see: https://github.com/squid-cache/squid/commits/v6 Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/squid b/lfs/squid index cd424e8bb..d92341794 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 6.3 +VER = 6.5 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 7b94f870a78cd7f29ee762aa3c0c6d72412e719c65a2d3730b744b6ac6da1b26b15da42d89c004214b2574e53321d904af175ef156430459eae09d560895de5b +$(DL_FILE)_BLAKE2 = 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651de install : $(TARGET) -- 2.34.1

2 1

[PATCH] clamav: Update to 1.2.1
by Matthias Fischer 10 Nov '23

10 Nov '23

For details see: https://blog.clamav.net/2023/10/clamav-121-113-104-010311-patch.html Excerpt: "ClamAV 1.2.1 is a patch release with the following fixes: Eliminate security warning about unused "atty" dependency. Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12. Build system: Fix link error with Clang/LLVM/LLD version 17. Patch courtesy of Yasuhiro Kimura. Fix alert-exceeds-max feature for files > 2GB and < max-filesize." Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/packages/clamav | 1 + lfs/clamav | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav index a3ec7d6cb..428f73e6c 100644 --- a/config/rootfiles/packages/clamav +++ b/config/rootfiles/packages/clamav @@ -69,6 +69,7 @@ usr/sbin/clamd #usr/share/doc/ClamAV/html/faq/faq-eol.html #usr/share/doc/ClamAV/html/faq/faq-freshclam.html #usr/share/doc/ClamAV/html/faq/faq-ignore.html +#usr/share/doc/ClamAV/html/faq/faq-malware-fp-reports.html #usr/share/doc/ClamAV/html/faq/faq-misc.html #usr/share/doc/ClamAV/html/faq/faq-ml.html #usr/share/doc/ClamAV/html/faq/faq-pua.html diff --git a/lfs/clamav b/lfs/clamav index 2a2cb0853..b64753c44 100644 --- a/lfs/clamav +++ b/lfs/clamav @@ -26,7 +26,7 @@ include Config SUMMARY = Antivirus Toolkit -VER = 1.2.0 +VER = 1.2.1 THISAPP = clamav-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = clamav -PAK_VER = 69 +PAK_VER = 70 DEPS = @@ -50,7 +50,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 83df24d253f71e2c200c13c318aa6a52d34830e5e464a90f2a84e5c1b75a64f366b73aa1da9f5780b70d6f3ab97496910484ab5d52441cc1909d5ab4685330c2 +$(DL_FILE)_BLAKE2 = 1373c6882b165e769dcc3c3631dfe7183231b2fe4830608b57d919af1a8e9a5a73aa3cc4767981a27bb9845390165b5241750904d50e1a90b7237200b97f7ef3 install : $(TARGET) -- 2.34.1

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development November 2023