Development May 2023

development@lists.ipfire.org

9 participants
44 discussions

Re: IPFire 2.27 - Core Update 164 is available for testing
by Adolf Belka 28 May '24

28 May '24

Hi All, Just tested out CU164 on my vm testbed system. The update went without any problems. You see the pakfire log status again on the wui page during the update. OpenVPN RW setup ran without any issues. Connection successfully made. IPS has the multiple providers option successfully in place. I eventually found the Force Update of rules button, which was very useful for my vm testbed as it is not running all the time and so the rules were a bit out of date. As far as I can tell everything is working fine on it. No issues detected. I will let it run over the next few days during the daytime and see how things go. Regards, Adolf. On 20/02/2022 18:35, IPFire Project wrote: > IPFire Logo > > there is a new post from Michael Tremer on the IPFire Blog: > > *IPFire 2.27 - Core Update 164 is available for testing* > > It is time to test another release for IPFire: IPFire 2.27 - Core Update 164. It comes with a vastly improved firewall engine, a new kernel and various security and bug fixes. Please help us testing this release and if you would like to support us, please donate. > > Click Here To Read More <https://blog.ipfire.org/post/ipfire-2-27-core-update-164-is-available-for-t…> > > The IPFire Project > Don't like these emails? Unsubscribe <https://people.ipfire.org/unsubscribe>. >

4 8

Start local and uplink network independent
by Jonatan Schlag 21 Aug '23

21 Aug '23

Hi, this is the first try for a patch series which makes the startup of local and uplink networks independent. This resolves in the end #11502. It should further allow us to keep waiting for a DHCP lease, because at least our local networks are all up when we get to the red network. This might have some small quirks, even when my testing so far shows no problems. I still think it is now better to share result, then to wait any longer. As this touches quite important parts of our network stack, I might be a could idea to merge this in two stages. After the patch, titled "network startup: Clean up duplicated Code ", might be a good breaking point. But in the end, this is up to you. Please keep in mind, I only tested the full patch set: Remove ipsec interface creation from network startup Remove Start/Stop links for client175 Use bash as shebang in network initscripts network initscripts: check if the zone in the current config exists network initscripts: Remove code for old zone scheme network scripts: remove check for AUTOCONNECT network startup: Reload routing informations for every interface network startup: Always cleanup before red gets started network startup: check for correct action at start network startup: Refactor how cmd args are processed network startup: Clean up duplicated Code network script: add extra scripts for action that depend on a network network startup: Add scripts for local and uplink network startup: Start local and uplink network independent network startup: Only work with configured zones config/rootfiles/common/aarch64/initscripts | 31 +++-- config/rootfiles/common/riscv64/initscripts | 31 +++-- config/rootfiles/common/x86_64/initscripts | 31 +++-- lfs/initscripts | 36 +++--- src/initscripts/networking/any | 31 ++++- src/initscripts/networking/functions.network | 14 +- src/initscripts/networking/red | 5 +- .../networking/red.up/99-pakfire-update | 2 +- src/initscripts/system/depends-on-network | 40 ++++++ src/initscripts/system/network | 121 ++++++++---------- 10 files changed, 218 insertions(+), 124 deletions(-) create mode 100644 src/initscripts/system/depends-on-network Looking forward to your feedback Greetings Jonatan

2 34

[PATCH] squid-asnbl: Fix for bug#13023 - squid-asnbl-helper segfaulting and shutdown squid
by Adolf Belka 01 Jul '23

01 Jul '23

- Patch provided by bug reporter. Here is the description of the problem from the bug. First I discovered that the helper only sometimes throwing the error and quits even for the same values and queries. Also the timespan until the error happens was quite different for every restart of squid (minutes to hours). And it does not depend on the traffic on the proxy, even one connection could cause a crash while ten or hundrets won't. After a few days of testing different solutions and done a lot of debugging, redesigning the function did not fully solve the problem. Such standard things like checking the result variable for NULL (or it's equivalent "is None" in python) before evaluating it's subfunction produces the exact same error message. But with that knowledge it more and more turns out that python3 sometimes 'detects' the local return variable if it was a misused global. So for a full fix, the return variable also has to be initialized that python3 won't detect it's usage as an 'UnboundLocalError' to succesfully fix this bug. - LFS file updated to run patch before copying helper into place. - Update of rootfile not needed. - Bug reporter has been requested to raise this issue at the git repo for squid-asnbl. Fixes: Bug#13023 Tested-by: Nicolas Pӧhlmann <business(a)hardcoretec.com> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- lfs/squid-asnbl | 1 + ...les_to_make_compatible_with_python_3.patch | 100 ++++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100644 src/patches/squid/squid-asnbl-0.2.4_initialise_global_variables_to_make_compatible_with_python_3.patch diff --git a/lfs/squid-asnbl b/lfs/squid-asnbl index 130b28460..b003d605b 100644 --- a/lfs/squid-asnbl +++ b/lfs/squid-asnbl @@ -75,6 +75,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zvxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/squid-asnbl-0.2.4_initialise_global_variables_to_make_compatible_with_python_3.patch # Install ASNBL helper script cd $(DIR_APP) && install -o root -g root -m 0755 asnbl-helper.py /usr/bin/asnbl-helper.py diff --git a/src/patches/squid/squid-asnbl-0.2.4_initialise_global_variables_to_make_compatible_with_python_3.patch b/src/patches/squid/squid-asnbl-0.2.4_initialise_global_variables_to_make_compatible_with_python_3.patch new file mode 100644 index 000000000..e540d4e76 --- /dev/null +++ b/src/patches/squid/squid-asnbl-0.2.4_initialise_global_variables_to_make_compatible_with_python_3.patch @@ -0,0 +1,100 @@ +--- squid-asnbl-0.2.4/asnbl-helper_orig.py ++++ squid-asnbl-0.2.4/asnbl-helper.py +@@ -172,17 +172,19 @@ + return parsedasns + + +-def resolve_asn(ipaddr: str, asndb): +- """ Function call: resolve_asn(IP address to be resolved, +- ASN database instance object) +- This function looks up the Autonomous System for the given IP address. It expects +- an IPFire location database object to be passed as a second parameter, hence relying +- on another function to set that up. """ ++def resolve_asn(ipaddr: str): ++ """ Function call: resolve_asn(IP address to be resolved) ++ This function looks up the Autonomous System for the given IP address. """ ++ ++ # Fix for #13023 ++ # Initialize the result variable before it's first use, otherwise python3 ++ # will sometimes detect a 'mismatch' using global and local variables ++ lookup_result = None + + # libloc cannot handle ipaddress objects here, so casting into a string is necessary + # for good measure, to avoid exceptions here... + try: +- result = asndb.lookup(str(ipaddr)) ++ lookup_result = ASNDB.lookup(str(ipaddr)) + except BlockingIOError: + # XXX: Prevent likely libloc bug from causing this helper to crash + # (see upstream bug https://bugzilla.ipfire.org/show_bug.cgi?id=13023) +@@ -190,21 +192,25 @@ + + # In case nothing was returned above, satisfy result expectation to this function... + try: +- if not result.asn: ++ if not lookup_result.asn: + return 0 + except AttributeError: + return 0 + +- return result.asn +- +- +-def asndb_response_tests(testdata: str, asndb): +- """ Function call: asndb_response_tests(response rest data, +- ASN database instance object) ++ return lookup_result.asn ++ ++ ++def asndb_response_tests(testdata: str): ++ """ Function call: asndb_response_tests(response rest data) + + This function asserts the given ASN database to return expected ASNs for + given IP addresses in order to be considered operational. It returns + True if this test succeeds, and False otherwise. """ ++ ++ # Fix for #13023 ++ # Initialize the result variable before it's first use, otherwise python3 ++ # will sometimes detect a 'mismatch' using global and local variables ++ lookup_result_test = None + + tresult = True + +@@ -216,13 +222,13 @@ + + for stestdata in ptdata: + LOGIT.debug("Running response test for '%s' against ASNDB '%s' ...", +- stestdata, asndb) +- +- returndata = resolve_asn(stestdata[0], asndb) +- +- if returndata != int(stestdata[1]): ++ stestdata, ASNDB) ++ ++ lookup_result_test = resolve_asn(stestdata[0]) ++ ++ if lookup_result_test != int(stestdata[1]): + LOGIT.error("Response test failed for ASNDB '%s' (tuple: %s), aborting", +- asndb, stestdata) ++ ASNDB, stestdata) + tresult = False + break + +@@ -428,7 +434,7 @@ + ASNDB = set_up_location_database(config["GENERAL"]["ASNDB_PATH"]) + + LOGIT.debug("Running ASN database response tests...") +-if asndb_response_tests(config["GENERAL"]["TESTDATA"], ASNDB): ++if asndb_response_tests(config["GENERAL"]["TESTDATA"]): + LOGIT.debug("ASN database operational - excellent. Waiting for input...") + else: + LOGIT.error("ASN database response tests failed, aborting") +@@ -490,7 +496,7 @@ + ASNS = [] + for singleip in IPS: + # Enumerate ASN for this IP address... +- resolvedasn = resolve_asn(singleip, ASNDB) ++ resolvedasn = resolve_asn(singleip) + + # In case protection against destinations without public AS announcements for their + # IP addresses is desired, the query will be denied in case ASN = 0 appears in an -- 2.39.2

2 3

Fwd: Forthcoming OpenSSL Releases
by Michael Tremer 07 Jun '23

07 Jun '23

It looks like we might not want to release the forthcoming Core Update before this. I did not hear any rumours about what might be the issue, but I would say that it wouldn’t hurt us to wait. What other outstanding issues do we have that are currently blocking the update? -Michael > Begin forwarded message: > > From: Tomas Mraz <tomas(a)openssl.org> > Subject: Forthcoming OpenSSL Releases > Date: 24 May 2023 at 05:06:12 BST > To: "openssl-project(a)openssl.org" <openssl-project(a)openssl.org>, "openssl-users(a)openssl.org" <openssl-users(a)openssl.org>, openssl-announce(a)openssl.org > Reply-To: openssl-users(a)openssl.org > > The OpenSSL project team would like to announce the forthcoming release > of OpenSSL versions 3.0.9, 1.1.1u and 1.0.2zh. Note that OpenSSL 1.0.2 > is End Of Life and so 1.0.2zh will be available to premium support > customers only. > > These releases will be made available on Tuesday 30th May 2023 > between 1300-1700 UTC. > > These are security-fix releases. The highest severity issue fixed in > each of these three releases is Moderate: > > https://www.openssl.org/policies/secpolicy.html > > Yours > The OpenSSL Project Team >

5 27

[PATCH] curl: Update to version 8.1.0
by Adolf Belka 02 Jun '23

02 Jun '23

- Update from version 7.88.1 to 8.1.0 - Update of rootfile not required - Changelog Fixed in 8.1.0 - May 17 2023 Changes: curl: add --proxy-http2 CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 hostip: refuse to resolve the .onion TLD tool_writeout: add URL component variables Bugfixes: amiga: Fix CA certificate paths for AmiSSL and MorphOS autotools: sync up clang picky warnings with cmake aws-sigv4.d: fix region identifier in example bufq: simplify since expression is always true cf-h1-proxy: skip an extra NULL assign cf-h2-proxy: fix processing ingress to stop too early cf-socket: add socket recv buffering for most tcp cases cf-socket: Disable socket receive buffer by default cf-socket: remove dead code discovered by PVS cf-socket: turn off IPV6_V6ONLY on Windows if it is supported checksrc: check for spaces before the colon of switch labels checksrc: find bad indentation in conditions without open brace checksrc: fix SPACEBEFOREPAREN for conditions starting with "*" ci: `-Wno-vla` no longer necessary CI: fix brew retries on GHA CI: Set minimal permissions on workflow ngtcp2-quictls.yml CI: skip Azure for commits which change only GHA CI: use another glob syntax for matching files on Appveyor cmake: bring in the network library on Haiku cmake: do not add zlib headers for openssl CMake: make config version 8 compatible with 7 cmake: picky-linker fixes for openssl, ZLIB, H3 and more cmake: set SONAME for SunOS too cmake: speed up and extend picky clang/gcc options CMakeLists.txt: fix typo for Haiku detection compressed.d: clarify the words on "not notifying headers" config-dos.h: fix SIZEOF_CURL_OFF_T for MS-DOS/DJGPP configure: don't set HAVE_WRITABLE_ARGV on Windows configure: fix detection of apxs (for httpd) configure: make quiche require quiche_conn_send_ack_eliciting connect: fix https connection setup to treat ssl_mode correctly content_encoding: only do transfer-encoding compression if asked to cookie: address PVS nits cookie: clarify that init with data set to NULL reads no file curl: do NOT append file name to path for upload when there's a query curl_easy_getinfo.3: typo fix (duplicated "from the") curl_easy_unescape.3: rename the argument curl_path: bring back support for SFTP path ending in /~ curl_url_set.3: mention that users can set content rather freely CURLOPT_IPRESOLVE.3: this for host names, not IP addresses data.d: emphasize no conversion digest: clear target buffer doc: curl_mime_init() strong easy binding was relaxed in 7.87.0 docs/cmdline-opts: document the dotless config path docs/examples/protofeats.c: outputs all protocols and features docs/libcurl/curl_*escape.3: rename "url" argument to "input"/"string" docs/SECURITY-ADVISORY.md: how to write a curl security advisory docs: bump the minimum perl version to 5.6 docs: clarify that more backends have HTTPS proxy support dynbuf: never allocate larger than "toobig" easy_cleanup: require a "good" handle to act ftp: fix 'portsock' variable was assigned the same value ftp: remove dead code ftplistparser: move out private data from public struct ftplistparser: replace realloc with dynbuf gen.pl: error on duplicated See-Also fields getpart: better handle case of file not found GHA-linux: add an address-sanitizer build GHA: add a memory-sanitizer job GHA: run all linux test jobs with valgrind GHA: suppress git clone output GIT-INFO: add --with-openssl gskit: various compile errors in OS400 h2/h3: replace `state.drain` counter with `state.dselect_bits` hash: fix assigning same value headers: clear (possibly) lingering pointer in init hostcheck: fix host name wildcard checking hostip: add locks around use of global buffer for alarm() hostip: enforce a maximum DNS cache size independent of timeout value HTTP-COOKIES.md: mention the #HttpOnly_ prefix http2: always EXPIRE_RUN_NOW unpaused http/2 transfers http2: do flow window accounting for cancelled streams http2: enlarge the connection window http2: flow control and buffer improvements http2: move HTTP/2 stream vars into local context http2: pass `stream` to http2_handle_stream_close to avoid NULL checks http2: remove unused Curl_http2_strerror function declaration HTTP3/quiche: terminate h1 response header when no body is sent http3: check stream_ctx more thoroughly in all backends HTTP3: document the ngtcp2/nghttp3 versions to use for building curl http3: expire unpaused transfers in all HTTP/3 backends http3: improvements across backends http: free the url before storing a new copy http: skip a double NULL assign ipv4.d/ipv6.d: they are "mutex", not "boolean" KNOWN_BUGS: remove fixed or outdated issues, move non-bugs lib/cmake: add HAVE_WRITABLE_ARGV check lib/sha256.c: typo fix in comment (duplicated "is available") lib1560: verify that more bad host names are rejected lib: add `bufq` and `dynhds` lib: remove CURLX_NO_MEMORY_CALLBACKS lib: unify the upload/method handling lib: use correct printf flags for sockets and timediffs libssh2: fix crash in keyboard callback libssh2: free fingerprint better libssh: tell it to use SFTP non-blocking man pages: simplify the .TH sections MANUAL.md: add dict example for looking up a single definition md(4|5): don't use deprecated iOS functions md4: only build when used mime: skip NULL assigns after Curl_safefree() multi: add handle asserts in DEBUG builds multi: add multi-ignore logic to multi_socket_action multi: free up more data earleier in DONE multi: remove a few superfluous assigns multi: remove PENDING + MSGSENT handles from the main linked list ngtcp2: adapted to 0.15.0 ngtcp2: adjust config and code checks for ngtcp2 without nghttp3 noproxy: pointer to local array 'hostip' is stored outside scope ntlm: clear lm and nt response buffers before use openssl: interop with AWS-LC OS400: fix and complete ILE/RPG binding OS400: implement EBCDIC support for recent features OS400: improve vararg emulation OS400: provide ILE/RPG usage examples pingpong: fix compiler warning "assigning an enum to unsigned char" pytest: improvements for suitable curl and error output quiche: disable pacing while pacing is not actually performed quiche: Enable IDLE egress handling RELEASE-PROCEDURE: update to new schedule rtsp: convert mallocs to dynbuf for RTP buffering rtsp: skip malformed RTSP interleaved frame data rtsp: skip NULL assigns after Curl_safefree() runtests: die if curl version can be found runtests: don't start servers if -l is given runtests: fix -c option when run with valgrind runtests: fix quoting in Appveyor and Azure test integration runtests: lots of refactoring runtests: refactor into more packages runtests: show error message if file can't be written runtests: spawn a new process for the test runner rustls: fix error in recv handling schannel: add clarifying comment server/getpart: clear target buffer before load smb: remove double assign smbserver: remove temporary files before exit socketpair: verify with a random value ssh: Add support for libssh2 read timeout telnet: simplify the implementation of str_is_nonascii() test1169: fix so it works properly everywhere test1592: add flaky keyword test1960: point to the correct path for the precheck tool test303: kill server after test tests/http: add timeout to running curl in test cases tests/http: fix log formatting on wrong exit code tests/http: fix out-of-tree builds tests/http: improved httpd detection tests/http: more tests with specific clients tests/http: relax connection check in test_07_02 tests/keywords.pl: remove tests/libtest/lib1900.c: remove tests/sshserver.pl: Define AddressFamily earlier tests: 1078 1288 1297 use valid IPv4 addresses tests: document that the unittest keyword is special tests: increase sws timeout for more robust testing tests: log a too-long Unix socket path in sws and socksd tests: make test_12_01 a bit more forgiving on connection counts tests: move pidfiles and portfiles under the log directory tests: move server config files under the pid dir tests: silence some Perl::Critic warnings in test suite tests: stop using strndup(), which isn't portable tests: switch to 3-argument open in test suite tests: turn perl modules into full packages tests: use %LOGDIR to refer to the log directory tool_cb_hdr: Fix 'Location:' formatting for early VTE terminals tool_operate: pass a long as CURLOPT_HEADEROPT argument tool_operate: refuse (--data or --form) and --continue-at combo transfer: refuse POSTFIELDS + RESUME_FROM combo transfer: skip extra assign url: fix null dispname for --connect-to option url: fix PVS nits url: remove call to Curl_llist_destroy in Curl_close urlapi: cleanups and improvements urlapi: detect and error on illegal IPv4 addresses urlapi: prevent setting invalid schemes with *url_set() urlapi: skip a pointless assign urlapi: URL encoding for the URL missed the fragment urldata: copy CURLOPT_AWS_SIGV4 value on handle duplication urldata: shrink *select_bits int => unsigned char vlts: use full buffer size when receiving data if possible vtls and h2 improvements Websocket: enhanced en-/decoding wolfssl.yml: bump to version 5.6.0 write-out.d: Use response_code in example ws: handle reads before EAGAIN better Fixed in 8.0.1 - March 20 2023 Bugfixes: fix crash in curl_easy_cleanup Fixed in 8.0.0 - March 20 2023 Changes: build: remove support for curl_off_t < 8 bytes Bugfixes: .cirrus.yml: Bump to FreeBSD 13.2 aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 BINDINGS: add Fortran binding build: drop the use of XC_AMEND_DISTCLEAN build: fix stdint/inttypes detection with non-autotools cf-socket: fix handling of remote addr for accepted tcp sockets cf-socket: if socket is already connected, return CURLE_OK cf-socket: use port 80 when resolving name for local bind CI: don't run CI jobs if only another CI was changed CI: update ngtcp2 and nghttp2 for pytest cmake: delete unused HAVE__STRTOI64 cmake: fix enabling LDAPS on Windows cmake: skip CA-path/bundle auto-detection in cross-builds connect: fix time_connect and time_appconnect timer statistics cookie: don't load cookies again when flushing cookie: parse without sscanf() curl.h: require gcc 12.1 for the deprecation magic curl: make -w's %{stderr} use the file set with --stderr curl_path: create the new path with dynbuf CURLOPT_PIPEWAIT: allow waited reuse also for subsequent connections CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe DEPRECATE: the original legacy mingw version 1 doc: fix compiler warning in libcurl.m4 docs/cmdline-opts: mark all global options docs/SECURITY-PROCESS.md: updates docs: extend the URL API descriptions docs: note '--data-urlencode' option DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure easy: remove infof() debug leftover from curl_easy_recv examples/http3.c: use CURL_HTTP_VERSION_3 ftp: active mode with SSL, add the filter ftp: add more conditions for connection reuse ftp: allocate the wildcard struct on demand ftp: make the EPSV response parser not use sscanf ftp: replace sscanf for MDTM 213 response parsing ftp: replace sscanf for PASV parsing gssapi: align `gss_OID_desc` to silence ld warnings on macOS ventura headers: make curl_easy_header and nextheader return different buffers hostip: avoid sscanf and extra buffer copies http2: fix error handling during parallel operations http2: fix for http2-prior-knowledge when reusing connections http2: fix handling of RST and GOAWAY to recognize partial transfers http2: fix upload busy loop http: don't send 100-continue for short PUT requests http: fix unix domain socket use in https connects http: rewrite the status line parser without sscanf http_proxy: parse the status line without sscanf idn: return error if the conversion ends up with a blank host krb5: avoid sscanf for parsing lib1560: test parsing URLs with ridiculously large fields lib2305: deal with CURLE_AGAIN lib517: verify time stamps without leading zeroes plus some more lib: silence clang/gcc -Wvla warnings in brotli headers lib: skip Curl_llist_destroy calls libcurl-errors.3: add the CURLHcode errors from curl_easy_header.3 libssh2: only set the memory callbacks when debugging libssh2: remove unused variable from libssh2's struct libssh: use dynbuf instead of realloc Makefile.mk: delete redundant `HAVE_LDAP_SSL` macro Makefile.mk: fix -g option in debug mode mqtt: on send error, return error multi: make multi_perform ignore/unignore signals less often multi: remove PENDING + MSGSENT handles from the main linked list ngtcp2-gnutls.yml: bump to gnutls 3.8.0 ngtcp2: fix unwanted close of file descriptor 0 page-footer: add explanation for three missing exit codes parsedate: parse strings without using sscanf() parsedate: replace sscanf( for time stamp parsing quic/schannel: fix compiler warnings rand: use arc4random as fallback when available rate.d: single URLs make no sense in --rate example RELEASE-PROCEDURE.md: update coming release dates rtsp: avoid sscanf for parsing runtests: use a hash table for server port numbers sectransp: fix compiler warning c89 mixed code/declaration sectransp: make read_cert() use a dynbuf when loading secure-transport: fix recv return code handling select: stop treating POLLRDBAND as an error setopt: move the CURLOPT_CHUNK_DATA pointer to the set struct socket: detect "dead" connections better, e.g. not fit for reuse src: silence wmain() warning for all build methods telnet: only accept option arguments in ascii telnet: parse NEW_ENVIRON without sscanf telnet: parse telnet options without sscanf telnet: parse the WS= argument without sscanf test1470: test socks proxy using unix sockets and connect to https test1960: verify CURL_SOCKOPT_ALREADY_CONNECTED test2600: detect when ALARM_TIMEOUT is in use and adjust test422: verify --next used without a prior URL tests/http: add pytest to GHA and improve tests tests: add `cookies` features tests: add timeout, SLOWDOWN and DELAY keywords to tests tests: fix gnutls-serv check tests: fix MSVC unreachable code warnings in unit tests tests: hack to build most unit tests under cmake tests: HTTP server fixups tests: keep cmake unit tests names in sync tests: make CPPFLAGS common to all unit tests tests: make first.c the same for both lib tests and unit tests tests: support for imaps/pop3s/smtps protocols tests: sync option lists in runtests.pl & its man page tests: test secure mail protocols with explicit SSL requests tests: use AM_CPPFILES to modify flags in unit tests tests: use dynamic ports numbers in pytest suite tool: dump headers even if file is write-only tool: improve --stderr handling tool_getparam: don't add a new node for just --no-remote-name tool_getparam: error if --next is used without a prior URL tool_operate: avoid fclose(NULL) on bad header dump file tool_operate: propagate error codes for missing URL after --next tool_progress: shut off progress meter for --silent in parallel tool_writeout_json. fix the output for duplicate header names transfer: limit Windows SO_SNDBUF updates to once a second url: fix cookielist memleak when curl_easy_reset url: fix logic in connection reuse to deny reuse on "unclean" connections url: fix the SSH connection reuse check url: only reuse connections with same GSS delegation url: remove dummy protocol handler urlapi: '%' is illegal in host names urlapi: avoid mutating internals in getter routine urlapi: parse IPv6 literals without ENABLE_IPV6 urlapi: take const args in _dup and _get functions wildcard: remove files and move functions into ftplistparser.c winbuild: fix makefile clean wolfssl: add quic/ngtcp2 detection in cmake, and fix builds wolfSSL: ressurect the BIO `io_result` ws: keep the socket non-blocking x509asn1.c: use correct format specifier for infof() call x509asn1: use plain %x, not %lx, when the arg is an int Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- lfs/curl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/curl b/lfs/curl index feb4fa810..995f63cd5 100644 --- a/lfs/curl +++ b/lfs/curl @@ -24,7 +24,7 @@ include Config -VER = 7.88.1 +VER = 8.1.0 THISAPP = curl-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = ed7e7aa29efb02fd89a53d5c8d0ec79b4d17612ea07d2a6b5a951f0ca651b4cf7264704344b1a0c2d82196f4cb5c08525e06b4cdd432bc3278ff23c7a6580839 +$(DL_FILE)_BLAKE2 = 768a824b8f5f6ddaa073599c4106f07a8134bcbe0e0d666390be1bce16ba25386d85930853bb47bc90b2c8a499a0b2abb9c685042563801e0fe58b9c315ac6cc install : $(TARGET) -- 2.40.1

2 10

[PATCH] OpenSSL: Update to 3.1.1
by Peter Müller 30 May '23

30 May '23

Changelog concerning this version: https://www.openssl.org/news/cl31.txt Accompanying security advisory: https://www.openssl.org/news/secadv/20230530.txt Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/common/openssl | 1 + lfs/openssl | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index 44ae2cda9..5ccb17fe1 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -3617,6 +3617,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/OSSL_CMP_MSG_http_perform.3ossl #usr/share/man/man3/OSSL_CMP_MSG_it.3ossl #usr/share/man/man3/OSSL_CMP_MSG_read.3ossl +#usr/share/man/man3/OSSL_CMP_MSG_update_recipNonce.3ossl #usr/share/man/man3/OSSL_CMP_MSG_update_transactionID.3ossl #usr/share/man/man3/OSSL_CMP_MSG_write.3ossl #usr/share/man/man3/OSSL_CMP_P10CR.3ossl diff --git a/lfs/openssl b/lfs/openssl index 214d22962..5b60c3369 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 3.1.0 +VER = 3.1.1 THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -70,7 +70,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108 +$(DL_FILE)_BLAKE2 = 094f7e28f16de6528016fcd21df1d7382b0dbdcd80ec469d37add9c37f638c059dda3ffb4415eba890a33d146ddc9016bcc7192df101c73be5e70faf6e3b1097 install : $(TARGET) -- 2.35.3

1 0

Re: [PATCH] transmission: Update to version 4.0.3
by Adolf Belka 30 May '23

30 May '23

Hi Arne, I just tried installing transmission-3.00 and have seen that although the web related files are all commented out, they are installed because the /usr/share/transmission directory is not commented out. I have also seen that in the wiki page it talks about the web gui so clearly this is intended to be present. I have looked in the transmission source in the file CMakeLists.txt and it refers to the option INSTALL_WEB but says that the default is ON, so this should happen automatically. I will try setting this option explicitly to ON in the lfs. Also the ENABLE_CLI option is defined as OFF by default. I had left this out as in the version-3.00 configure it has the --enable-cli in the Optional Features section. It does not mention any default but usually if it is optional without a specified default it means that it is disabled if not explicitly specified but maybe in the transmission case an optional parameter that has no default means that it is built. I will also try enabling the cli with the cmake command. Maybe the INSTALL_WEB is not applied if the ENABLE_CLI is not turned on. Will report back on what I find. Regards, Adolf. On 30/05/2023 12:00, Adolf Belka wrote: > Hi Arne, > > On 30/05/2023 08:06, Arne Fitzenreiter wrote: >> The files of the webgui are now commented out. Please check: >> #usr/share/transmission > > The files were commented out in the version 3.00 rootfile. > > In the version 4.0.3 rootfile the webgui items are not even present. > > I didn't worry too much about that as my understanding is that transmission is a client only, not a server so it should not need a webgui anyway. > > However if the torrent client requires a webgui then I can look and see if the cmake build can have the webgui enabled. Probably the webgui is no longer enabled by default with cmake as compared with the configure approach. > > > Regards, > Adolf. >> >> Arne >> >> >> Am 2023-05-20 14:10, schrieb Adolf Belka: >>> - Update from version 3.00 to 4.0.3 >>> - Update of rootfile >>> - Build changed from autotools configure to cmake >>> - Changelog is very large. For details see >>> https://github.com/transmission/transmission/releases/ >>> >>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> >>> --- >>> config/rootfiles/packages/transmission | 94 +++----------------------- >>> lfs/transmission | 15 ++-- >>> 2 files changed, 18 insertions(+), 91 deletions(-) >>> >>> diff --git a/config/rootfiles/packages/transmission >>> b/config/rootfiles/packages/transmission >>> index d831ecde9..69bc9a1d7 100644 >>> --- a/config/rootfiles/packages/transmission >>> +++ b/config/rootfiles/packages/transmission >>> @@ -1,3 +1,4 @@ >>> +etc/rc.d/init.d/transmission >>> #etc/transmission >>> etc/transmission/settings.json >>> usr/bin/transmission-create >>> @@ -5,88 +6,13 @@ usr/bin/transmission-daemon >>> usr/bin/transmission-edit >>> usr/bin/transmission-remote >>> usr/bin/transmission-show >>> -#usr/share/man/man1/transmission-create.1 >>> -#usr/share/man/man1/transmission-daemon.1 >>> -#usr/share/man/man1/transmission-edit.1 >>> -#usr/share/man/man1/transmission-remote.1 >>> -#usr/share/man/man1/transmission-show.1 >>> -usr/share/transmission >>> -#usr/share/transmission/web >>> -#usr/share/transmission/web/LICENSE >>> -#usr/share/transmission/web/images >>> -#usr/share/transmission/web/images/favicon.ico >>> -#usr/share/transmission/web/images/favicon.png >>> -#usr/share/transmission/web/images/webclip-icon.png >>> -#usr/share/transmission/web/index.html >>> -#usr/share/transmission/web/javascript >>> -#usr/share/transmission/web/javascript/common.js >>> -#usr/share/transmission/web/javascript/dialog.js >>> -#usr/share/transmission/web/javascript/file-row.js >>> -#usr/share/transmission/web/javascript/formatter.js >>> -#usr/share/transmission/web/javascript/inspector.js >>> -#usr/share/transmission/web/javascript/jquery >>> -#usr/share/transmission/web/javascript/jquery/jquery-migrate.min.js >>> -#usr/share/transmission/web/javascript/jquery/jquery-ui.min.js >>> -#usr/share/transmission/web/javascript/jquery/jquery.min.js >>> -#usr/share/transmission/web/javascript/jquery/jquery.transmenu.min.js >>> -#usr/share/transmission/web/javascript/jquery/jquery.ui-contextmenu.min.js >>> -#usr/share/transmission/web/javascript/jquery/json2.min.js >>> -#usr/share/transmission/web/javascript/main.js >>> -#usr/share/transmission/web/javascript/notifications.js >>> -#usr/share/transmission/web/javascript/polyfill.js >>> -#usr/share/transmission/web/javascript/prefs-dialog.js >>> -#usr/share/transmission/web/javascript/remote.js >>> -#usr/share/transmission/web/javascript/torrent-row.js >>> -#usr/share/transmission/web/javascript/torrent.js >>> -#usr/share/transmission/web/javascript/transmission.js >>> -#usr/share/transmission/web/style >>> -#usr/share/transmission/web/style/jqueryui >>> -#usr/share/transmission/web/style/jqueryui/images >>> -#usr/share/transmission/web/style/jqueryui/images/ui-bg_flat_0_aaaaaa_40x100.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-bg_flat_75_ffffff_40x100.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-bg_glass_55_fbf9ee_1x400.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-bg_glass_65_ffffff_1x400.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-bg_glass_75_dadada_1x400.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-bg_glass_75_e6e6e6_1x400.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-bg_glass_95_fef1ec_1x400.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-bg_highlight-soft_75_cccccc_1x100.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-icons_222222_256x240.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-icons_2e83ff_256x240.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-icons_454545_256x240.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-icons_888888_256x240.png >>> -#usr/share/transmission/web/style/jqueryui/images/ui-icons_cd0a0a_256x240.png >>> -#usr/share/transmission/web/style/jqueryui/jquery-ui.min.css >>> -#usr/share/transmission/web/style/transmission >>> -#usr/share/transmission/web/style/transmission/common.css >>> -#usr/share/transmission/web/style/transmission/images >>> -#usr/share/transmission/web/style/transmission/images/arrow-down.png >>> -#usr/share/transmission/web/style/transmission/images/arrow-up.png >>> -#usr/share/transmission/web/style/transmission/images/blue-turtle.png >>> -#usr/share/transmission/web/style/transmission/images/buttons >>> -#usr/share/transmission/web/style/transmission/images/buttons/torrent_buttons.png >>> -#usr/share/transmission/web/style/transmission/images/compact.png >>> -#usr/share/transmission/web/style/transmission/images/file-priority-high.png >>> -#usr/share/transmission/web/style/transmission/images/file-priority-low.png >>> -#usr/share/transmission/web/style/transmission/images/file-priority-normal.png >>> -#usr/share/transmission/web/style/transmission/images/filter_bar.png >>> -#usr/share/transmission/web/style/transmission/images/filter_icon.png >>> -#usr/share/transmission/web/style/transmission/images/inspector-files.png >>> -#usr/share/transmission/web/style/transmission/images/inspector-info.png >>> -#usr/share/transmission/web/style/transmission/images/inspector-peers.png >>> -#usr/share/transmission/web/style/transmission/images/inspector-trackers.png >>> -#usr/share/transmission/web/style/transmission/images/lock_icon.png >>> -#usr/share/transmission/web/style/transmission/images/logo.png >>> -#usr/share/transmission/web/style/transmission/images/progress.png >>> -#usr/share/transmission/web/style/transmission/images/settings.png >>> -#usr/share/transmission/web/style/transmission/images/toolbar-close.png >>> -#usr/share/transmission/web/style/transmission/images/toolbar-folder.png >>> -#usr/share/transmission/web/style/transmission/images/toolbar-info.png >>> -#usr/share/transmission/web/style/transmission/images/toolbar-pause-all.png >>> -#usr/share/transmission/web/style/transmission/images/toolbar-pause.png >>> -#usr/share/transmission/web/style/transmission/images/toolbar-start-all.png >>> -#usr/share/transmission/web/style/transmission/images/toolbar-start.png >>> -#usr/share/transmission/web/style/transmission/images/turtle.png >>> -#usr/share/transmission/web/style/transmission/images/wrench.png >>> -#usr/share/transmission/web/style/transmission/mobile.css >>> +#usr/share/transmission >>> +#usr/share/transmission/public_html >>> +#usr/share/transmission/public_html/images >>> +#usr/share/transmission/public_html/images/favicon.ico >>> +#usr/share/transmission/public_html/images/favicon.png >>> +#usr/share/transmission/public_html/images/webclip-icon.png >>> +#usr/share/transmission/public_html/index.html >>> +#usr/share/transmission/public_html/transmission-app.js >>> +#usr/share/transmission/public_html/transmission-app.js.LICENSE.txt >>> var/ipfire/backup/addons/includes/transmission >>> -etc/rc.d/init.d/transmission >>> diff --git a/lfs/transmission b/lfs/transmission >>> index ea1167da4..4e0667353 100644 >>> --- a/lfs/transmission >>> +++ b/lfs/transmission >>> @@ -1,7 +1,7 @@ >>> >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> # >>> +# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -26,7 +26,7 @@ include Config >>> >>> SUMMARY = A BitTorrent client with multiple UIs >>> >>> -VER = 3.00 >>> +VER = 4.0.3 >>> >>> THISAPP = transmission-$(VER) >>> DL_FILE = $(THISAPP).tar.xz >>> @@ -34,14 +34,12 @@ DL_FROM = $(URL_IPFIRE) >>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>> TARGET = $(DIR_INFO)/$(THISAPP) >>> PROG = transmission >>> -PAK_VER = 18 >>> +PAK_VER = 19 >>> >>> DEPS = >>> >>> SERVICES = transmission >>> >>> -CXXFLAGS += -fno-exceptions >>> - >>> >>> ############################################################################### >>> # Top-level Rules >>> >>> ############################################################################### >>> @@ -50,7 +48,7 @@ objects = $(DL_FILE) >>> >>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>> >>> -$(DL_FILE)_BLAKE2 = >>> 108c9acb8e8cb9c037ea96ca25f32c8421a6981b613399c73e2cd597dd1b529409329fa3c327630c164db05d8b3da81e634941bca08c7e258bb2d283782b9906 >>> +$(DL_FILE)_BLAKE2 = >>> 3d58f002d57458869e143e4a3617c8992e51a01f15f0e17031bc2913f404a455cde3397bde404f84a2234d12411e99b2902e4213ca6811b95288bb68f9b98553 >>> >>> install : $(TARGET) >>> >>> @@ -83,7 +81,10 @@ $(subst %,%_BLAKE2,$(objects)) : >>> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> @$(PREBUILD) >>> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) >>> - cd $(DIR_APP) && ./configure --prefix=/usr --disable-static >>> + cd $(DIR_APP) && cmake . \ >>> + -DCMAKE_INSTALL_PREFIX=/usr \ >>> + -DCMAKE_BUILD_TYPE=Release \ >>> + -DINSTALL_DOC=OFF >>> cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) >>> cd $(DIR_APP) && make install

1 1

[PATCH] ovpnmain.cgi: Fix Bug#13136 - Allow spaces when editing a static ip address pool name
by Adolf Belka 30 May '23

30 May '23

- This was fixed for creating a static ip address pool name in bug#12865 but was not applied to the case when the static ip address pool name was being edited. - This fix corrects that oversight. Fixes: Bug#13136 Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5c4fad0a5..0df9fcc8c 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -494,7 +494,7 @@ sub modccdnet my %ccdhash=(); # Check if the new name is valid. - if(!&General::validhostname($newname)) { + if(!&General::validccdname($newname)) { $errormessage=$Lang::tr{'ccd err invalidname'}; return; } -- 2.40.1

1 0

Re: [IPFire Wiki] Page Changed: DHCP Server
by Adolf Belka 29 May '23

29 May '23

Dear All, A change was made to the DHCP Server wiki page changing the domain suffix from pluto.disney.org on the basis that it is not correct and it has been replaced by localdomain. If the user had obtained the domain pluto.disney.org or had a Dynamic Dns to a domain from the DDNS provider then you might not want localdomain as the Domain Suffix. The bigger problem for me is that then the screenshot has been replaced with the following change and this comes from prior to Core Update 154 as it is missing the Deny Known Clients checkbox which is then talked about later in the existing text but no longer shown in the screenshot. I logged in to the wiki and tried to restore the change back with a comment about the domain name and the missing Deny Known Clients checkbox but I received a Error 403 oops, something went wrong message. I tried three times and each time the same message. Could someone who has the permissions restore that wiki page back to the version where the screenshot has the Deny Known Clients checkbox. If it is agreed that the Domain Suffix shouldn't have been something like pluto.disney.org but should be localdomain or the earlier domain suffix from sept 2021 which was schuh-tv.at then let me know. I will then create a new screenshot of the dhcp page with the Deny Known Clients checkbox and whatever appropriate wording is required for the Domain Suffix entry. Regards, Adolf. On 28/05/2023 15:19, IPFire Project wrote: > Hey, > > the wiki page has been changed by Trash Trash. > Check out the current version at https://wiki.ipfire.org/configuration/network/dhcp. > > Old screenshot was wrong, at "Domain name suffix" pluto.disney.org is not the suffix. > > You can see what has changed here: > > https://wiki.ipfire.org/configuration/network/dhcp?action=diff&a=2023-05-14… > > --- > > +++ > > @@ -10,7 +10,7 @@ > > > ## Example configuration > In this example we will configure a standard IPFire installation to serve an internal network for the **<span style="color:green">Green Interface</span>**. > -![](./Screenshot_2022-01-31_18-19-50.png) > +![](./IPFire DHCP settings.png) > > ### Blue Interface Enabled > If the Blue Interface has been enabled ensure that the MAC Filtering has been configured on the [Blue Access](/configuration/firewall/accesstoblue) page. > -- Sent from my laptop

2 1

Help with setting up net2net configuration
by Adolf Belka 26 May '23

26 May '23

Hi Erik, All, I am trying to set up a net2net configuration on my virtual machine testbed for evaluating bug#11048 but also for use when evaluating Testing Releases in the future, as I currently do with an OpenVPN Roadwarrior connection. I am struggling to make things work and need some guidance. The two IPFire virtual machines have their red interfaces on my physical green network. So the red IP's for the two IPFire machines are both private address numbers. Is that feasible to set up a N2N OpenVPN tunnel that wholly exists in a Private Address space? When I set the N2N up the two ends show CONNECTED in Green but in the logs there is no message saying Initialization Sequence Completed. When I try and ping I can successfully do that between the two IPFire machines consoles but not to any vm machine on the Green network of either IPFire system. That is also the case when trying ping from one of the IPFire consoles to a machine in the green network of the other IPFire network. I suspect I need to do some sort of routing definition but I don't know how or where. In the Roadwarrior connection there is a route section defined when you create a client connection, where you can select Green and/or Blue/Orange. The N2N client connection is just imported into the other IPFire system and there is no mention in the wiki about defining routes. I also created a Firewall rule on both IPFire's to connect the N2N tunnel with the Green network. None of the above allowed any ping to get a response from one of the IPFire machines to a vm on the other IPFire's Green network. Would appreciate any help/advice on whether what I am trying is even possible and that N2N only works over the internet with public IP's, or if I am doing something wrong with my route attempts. Let me know what further details you need to know or that I should provide. Thanks in advance for any input. Regards, Adolf.

1 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development May 2023