Development June 2023

development@lists.ipfire.org

10 participants
38 discussions

[PATCH] backup.pl: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
by Adolf Belka 05 Jun '23

05 Jun '23

- This code adds the "providers legacy default" line into OpenVPN N2N Client config files when restoring them in case it is missing from a backup earlier than CU175. Only adds the line if it is not already present. - Tested out on my vm testbed system Fixes: Bug#13137 Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/backup/backup.pl | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 96e794439..8d990c0f1 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -189,6 +189,21 @@ restore_backup() { # Update OpenVPN CRL /etc/fcron.daily/openvpn-crl-updater + + # Update OpenVPN N2N Client Configs + ## Add providers legacy default line to n2n client config files + # Check if ovpnconfig exists and is not empty + if [ -s /var/ipfire/ovpn/ovpnconfig ]; then + # Identify all n2n connections + for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do + # Add the legacy option to all N2N client conf files if it does not already exist + if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then + if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then + echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf + fi + fi + done + fi return 0 } -- 2.40.1

2 1

[PATCH 1/2] ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
by Adolf Belka 05 Jun '23

05 Jun '23

- With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line providers legacy default is required in the n2nconf file to enable it to start. - Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in a failure and an error message. All the openssl commands dealing with pkcs12 (.p12) files need to have the -legacy option added to them. Fixes: Bug#13137 Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5c4fad0a5..88106251e 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1115,6 +1115,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Activate Management Interface and Port\n"; if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"} else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"}; + print CLIENTCONF "providers legacy default\n"; close(CLIENTCONF); } @@ -1648,7 +1649,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys', '-in', $filename, '-out', "$tempdir/cacert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1671,7 +1672,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys', '-in', $filename, '-out', "$tempdir/hostcert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; @@ -1694,7 +1695,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts', + unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts', '-nodes', '-in', $filename, '-out', "$tempdir/serverkey.pem")) { @@ -2156,6 +2157,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"} else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"}; print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n"; + print CLIENTCONF "providers legacy default\n"; close(CLIENTCONF); @@ -3296,6 +3298,7 @@ END print FILE "# Logfile\n"; print FILE "status-version 1\n"; print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n"; + print FILE "providers legacy default\n"; close FILE; unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) { @@ -4242,7 +4245,7 @@ if ($cgiparams{'TYPE'} eq 'net') { # Create the pkcs12 file # The system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-export', + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export', '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", '-name', $cgiparams{'NAME'}, -- 2.40.1

2 4

[PATCH] vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created
by Adolf Belka 05 Jun '23

05 Jun '23

- The change to openssl-3.x results in the openssl commands that start with ca failing with the error message OpenSSL produced an error: <br>40E7B4719B730000:error:0700006C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL> name=unique_subject - The fix for this is to include the unique_subject = yes line into /var/ipfire/certs/index.txt.attr - Additionally, based on the learnings from bug#13137 on OpenVPN, any openssl commands dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fail when being accessed with openssl-3.x due to the no longer supported algorithm. These can be accessed if the -legacy option is added to every openssl command dealing with pkcs12 Fixes: Bug#13138 Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- html/cgi-bin/vpnmain.cgi | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 6c1fd4cf0..f2aeecdf9 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -193,7 +193,7 @@ sub cleanssldatabase { close FILE; } if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) { - print FILE ""; + print FILE "unique_subject = yes"; close FILE; } unlink ("${General::swroot}/certs/index.txt.old"); @@ -213,6 +213,7 @@ sub newcleanssldatabase { } if (! -s ">${General::swroot}/certs/index.txt.attr") { open(FILE, ">${General::swroot}/certs/index.txt.attr"); + print FILE "unique_subject = yes"; close(FILE); } unlink ("${General::swroot}/certs/index.txt.old"); @@ -907,7 +908,7 @@ END # Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; + my $opt = " pkcs12 -legacy -cacerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; $errormessage = &callssl ($opt); @@ -920,7 +921,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting host cert from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; + my $opt = " pkcs12 -legacy -clcerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); @@ -934,7 +935,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting private key from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -nocerts -nodes"; + my $opt = " pkcs12 -legacy -nocerts -nodes"; $opt .= " -in $filename"; $opt .= " -out /tmp/newhostkey"; $errormessage = &callssl ($opt); @@ -1939,7 +1940,7 @@ END # Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; + my $opt = " pkcs12 -legacy -cacerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; $errormessage = &callssl ($opt); @@ -1952,7 +1953,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting host cert from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; + my $opt = " pkcs12 -legacy -clcerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); @@ -2197,7 +2198,7 @@ END # Create the pkcs12 file &General::log("ipsec", "Packing a pkcs12 file..."); - $opt = " pkcs12 -export"; + $opt = " pkcs12 -legacy -export"; $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -name \"$cgiparams{'NAME'}\""; -- 2.40.1

2 1

[PATCH 1/2] partresize: remove buggy code
by Arne Fitzenreiter 05 Jun '23

05 Jun '23

DRV is not defined so this code is useless. Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> --- src/initscripts/system/partresize | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/initscripts/system/partresize b/src/initscripts/system/partresize index 272fbe482..832bc7237 100644 --- a/src/initscripts/system/partresize +++ b/src/initscripts/system/partresize @@ -112,11 +112,6 @@ case "${1}" in boot_mesg "Growing root partition to maximum size..." echo -e ',+' | sfdisk --no-reread -f -N${part_num} "${root_dev}" 2>/dev/null - # Update c,h,s values of the boot partition... - if [ ${part_num} -ne 1 -a -b "${root_dev}1" ]; then - echo -e ',' | sfdisk --no-reread -f -N1 ${DRV} &> /dev/null - fi - # The filesystem should be resized after # this operation touch /.resizefs -- 2.38.1

1 1

[PATCH 1/2] partresize: remove buggy code
by Arne Fitzenreiter 03 Jun '23

03 Jun '23

1 0

Feedback on CU175 Testing (Not Critical - For Info)
by Adolf Belka 02 Jun '23

02 Jun '23

Hi All, On my vm testbed IPFire system I have samba and cups installed. Both running and also avahi installed due to cups dependency. It is also running. After doing the upgrade from CU174 to CU175 Testing then the cups and avahi packages are no longer running. Missed that the first few times I was running an update to CU175 Testing and it caused the reboot to pause saying that it could not stop avahi as it was not running. If this was caused by a bug report it or wait one minute or press any key. In later updates to CU175 Testing I then remembered to go to the services page and turn avahi and cups back on before doing the reboot. Then no error messages. I had a look at the update.sh script and I can't figure out why it would be stopping cups and avahi let alone failing to restart them. Not critical, not blocking, just for information for future core updates. Regards, Adolf.

2 1

[PATCH v2] dhcpcd: Update to version 10.0.1
by Adolf Belka 02 Jun '23

02 Jun '23

- Update from version 9.4.1 to 10.0.1 - Update of rootfile not required - Changelog is no longer provided. For details of changes you have to look at the commits log - https://github.com/NetworkConfiguration/dhcpcd/commits Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- lfs/dhcpcd | 8 ++++---- ...-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch} | 0 2 files changed, 4 insertions(+), 4 deletions(-) rename src/patches/{dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch => dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch} (100%) diff --git a/lfs/dhcpcd b/lfs/dhcpcd index 2373198da..136494ed1 100644 --- a/lfs/dhcpcd +++ b/lfs/dhcpcd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 9.4.1 +VER = 10.0.1 THISAPP = dhcpcd-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 847c7451918ac89fe384e180ec52ee4624c0f2dc73354ecb4c63b02d8d9cf0a6d164b33e5d083a05d4868079dcf6208a820b4263c80337a12be40a27517ecf87 +$(DL_FILE)_BLAKE2 = f1e93285d040b98bede86bb2e87e372afc0d1d124e7a6580c23d8d228a34ee17001fc3c2d9091b16fb082fe2f2ad7ba50c0dd7b0db2b2237ab1cff9ca152100a install : $(TARGET) @@ -70,7 +70,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch cd $(DIR_APP) && ./configure \ --prefix="" \ --sysconfdir=/var/ipfire/dhcpc \ diff --git a/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch b/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch similarity index 100% rename from src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch rename to src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch -- 2.40.1

1 0

[PATCH] curl: Update to version 8.1.0
by Adolf Belka 02 Jun '23

02 Jun '23

- Update from version 7.88.1 to 8.1.0 - Update of rootfile not required - Changelog Fixed in 8.1.0 - May 17 2023 Changes: curl: add --proxy-http2 CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 hostip: refuse to resolve the .onion TLD tool_writeout: add URL component variables Bugfixes: amiga: Fix CA certificate paths for AmiSSL and MorphOS autotools: sync up clang picky warnings with cmake aws-sigv4.d: fix region identifier in example bufq: simplify since expression is always true cf-h1-proxy: skip an extra NULL assign cf-h2-proxy: fix processing ingress to stop too early cf-socket: add socket recv buffering for most tcp cases cf-socket: Disable socket receive buffer by default cf-socket: remove dead code discovered by PVS cf-socket: turn off IPV6_V6ONLY on Windows if it is supported checksrc: check for spaces before the colon of switch labels checksrc: find bad indentation in conditions without open brace checksrc: fix SPACEBEFOREPAREN for conditions starting with "*" ci: `-Wno-vla` no longer necessary CI: fix brew retries on GHA CI: Set minimal permissions on workflow ngtcp2-quictls.yml CI: skip Azure for commits which change only GHA CI: use another glob syntax for matching files on Appveyor cmake: bring in the network library on Haiku cmake: do not add zlib headers for openssl CMake: make config version 8 compatible with 7 cmake: picky-linker fixes for openssl, ZLIB, H3 and more cmake: set SONAME for SunOS too cmake: speed up and extend picky clang/gcc options CMakeLists.txt: fix typo for Haiku detection compressed.d: clarify the words on "not notifying headers" config-dos.h: fix SIZEOF_CURL_OFF_T for MS-DOS/DJGPP configure: don't set HAVE_WRITABLE_ARGV on Windows configure: fix detection of apxs (for httpd) configure: make quiche require quiche_conn_send_ack_eliciting connect: fix https connection setup to treat ssl_mode correctly content_encoding: only do transfer-encoding compression if asked to cookie: address PVS nits cookie: clarify that init with data set to NULL reads no file curl: do NOT append file name to path for upload when there's a query curl_easy_getinfo.3: typo fix (duplicated "from the") curl_easy_unescape.3: rename the argument curl_path: bring back support for SFTP path ending in /~ curl_url_set.3: mention that users can set content rather freely CURLOPT_IPRESOLVE.3: this for host names, not IP addresses data.d: emphasize no conversion digest: clear target buffer doc: curl_mime_init() strong easy binding was relaxed in 7.87.0 docs/cmdline-opts: document the dotless config path docs/examples/protofeats.c: outputs all protocols and features docs/libcurl/curl_*escape.3: rename "url" argument to "input"/"string" docs/SECURITY-ADVISORY.md: how to write a curl security advisory docs: bump the minimum perl version to 5.6 docs: clarify that more backends have HTTPS proxy support dynbuf: never allocate larger than "toobig" easy_cleanup: require a "good" handle to act ftp: fix 'portsock' variable was assigned the same value ftp: remove dead code ftplistparser: move out private data from public struct ftplistparser: replace realloc with dynbuf gen.pl: error on duplicated See-Also fields getpart: better handle case of file not found GHA-linux: add an address-sanitizer build GHA: add a memory-sanitizer job GHA: run all linux test jobs with valgrind GHA: suppress git clone output GIT-INFO: add --with-openssl gskit: various compile errors in OS400 h2/h3: replace `state.drain` counter with `state.dselect_bits` hash: fix assigning same value headers: clear (possibly) lingering pointer in init hostcheck: fix host name wildcard checking hostip: add locks around use of global buffer for alarm() hostip: enforce a maximum DNS cache size independent of timeout value HTTP-COOKIES.md: mention the #HttpOnly_ prefix http2: always EXPIRE_RUN_NOW unpaused http/2 transfers http2: do flow window accounting for cancelled streams http2: enlarge the connection window http2: flow control and buffer improvements http2: move HTTP/2 stream vars into local context http2: pass `stream` to http2_handle_stream_close to avoid NULL checks http2: remove unused Curl_http2_strerror function declaration HTTP3/quiche: terminate h1 response header when no body is sent http3: check stream_ctx more thoroughly in all backends HTTP3: document the ngtcp2/nghttp3 versions to use for building curl http3: expire unpaused transfers in all HTTP/3 backends http3: improvements across backends http: free the url before storing a new copy http: skip a double NULL assign ipv4.d/ipv6.d: they are "mutex", not "boolean" KNOWN_BUGS: remove fixed or outdated issues, move non-bugs lib/cmake: add HAVE_WRITABLE_ARGV check lib/sha256.c: typo fix in comment (duplicated "is available") lib1560: verify that more bad host names are rejected lib: add `bufq` and `dynhds` lib: remove CURLX_NO_MEMORY_CALLBACKS lib: unify the upload/method handling lib: use correct printf flags for sockets and timediffs libssh2: fix crash in keyboard callback libssh2: free fingerprint better libssh: tell it to use SFTP non-blocking man pages: simplify the .TH sections MANUAL.md: add dict example for looking up a single definition md(4|5): don't use deprecated iOS functions md4: only build when used mime: skip NULL assigns after Curl_safefree() multi: add handle asserts in DEBUG builds multi: add multi-ignore logic to multi_socket_action multi: free up more data earleier in DONE multi: remove a few superfluous assigns multi: remove PENDING + MSGSENT handles from the main linked list ngtcp2: adapted to 0.15.0 ngtcp2: adjust config and code checks for ngtcp2 without nghttp3 noproxy: pointer to local array 'hostip' is stored outside scope ntlm: clear lm and nt response buffers before use openssl: interop with AWS-LC OS400: fix and complete ILE/RPG binding OS400: implement EBCDIC support for recent features OS400: improve vararg emulation OS400: provide ILE/RPG usage examples pingpong: fix compiler warning "assigning an enum to unsigned char" pytest: improvements for suitable curl and error output quiche: disable pacing while pacing is not actually performed quiche: Enable IDLE egress handling RELEASE-PROCEDURE: update to new schedule rtsp: convert mallocs to dynbuf for RTP buffering rtsp: skip malformed RTSP interleaved frame data rtsp: skip NULL assigns after Curl_safefree() runtests: die if curl version can be found runtests: don't start servers if -l is given runtests: fix -c option when run with valgrind runtests: fix quoting in Appveyor and Azure test integration runtests: lots of refactoring runtests: refactor into more packages runtests: show error message if file can't be written runtests: spawn a new process for the test runner rustls: fix error in recv handling schannel: add clarifying comment server/getpart: clear target buffer before load smb: remove double assign smbserver: remove temporary files before exit socketpair: verify with a random value ssh: Add support for libssh2 read timeout telnet: simplify the implementation of str_is_nonascii() test1169: fix so it works properly everywhere test1592: add flaky keyword test1960: point to the correct path for the precheck tool test303: kill server after test tests/http: add timeout to running curl in test cases tests/http: fix log formatting on wrong exit code tests/http: fix out-of-tree builds tests/http: improved httpd detection tests/http: more tests with specific clients tests/http: relax connection check in test_07_02 tests/keywords.pl: remove tests/libtest/lib1900.c: remove tests/sshserver.pl: Define AddressFamily earlier tests: 1078 1288 1297 use valid IPv4 addresses tests: document that the unittest keyword is special tests: increase sws timeout for more robust testing tests: log a too-long Unix socket path in sws and socksd tests: make test_12_01 a bit more forgiving on connection counts tests: move pidfiles and portfiles under the log directory tests: move server config files under the pid dir tests: silence some Perl::Critic warnings in test suite tests: stop using strndup(), which isn't portable tests: switch to 3-argument open in test suite tests: turn perl modules into full packages tests: use %LOGDIR to refer to the log directory tool_cb_hdr: Fix 'Location:' formatting for early VTE terminals tool_operate: pass a long as CURLOPT_HEADEROPT argument tool_operate: refuse (--data or --form) and --continue-at combo transfer: refuse POSTFIELDS + RESUME_FROM combo transfer: skip extra assign url: fix null dispname for --connect-to option url: fix PVS nits url: remove call to Curl_llist_destroy in Curl_close urlapi: cleanups and improvements urlapi: detect and error on illegal IPv4 addresses urlapi: prevent setting invalid schemes with *url_set() urlapi: skip a pointless assign urlapi: URL encoding for the URL missed the fragment urldata: copy CURLOPT_AWS_SIGV4 value on handle duplication urldata: shrink *select_bits int => unsigned char vlts: use full buffer size when receiving data if possible vtls and h2 improvements Websocket: enhanced en-/decoding wolfssl.yml: bump to version 5.6.0 write-out.d: Use response_code in example ws: handle reads before EAGAIN better Fixed in 8.0.1 - March 20 2023 Bugfixes: fix crash in curl_easy_cleanup Fixed in 8.0.0 - March 20 2023 Changes: build: remove support for curl_off_t < 8 bytes Bugfixes: .cirrus.yml: Bump to FreeBSD 13.2 aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 BINDINGS: add Fortran binding build: drop the use of XC_AMEND_DISTCLEAN build: fix stdint/inttypes detection with non-autotools cf-socket: fix handling of remote addr for accepted tcp sockets cf-socket: if socket is already connected, return CURLE_OK cf-socket: use port 80 when resolving name for local bind CI: don't run CI jobs if only another CI was changed CI: update ngtcp2 and nghttp2 for pytest cmake: delete unused HAVE__STRTOI64 cmake: fix enabling LDAPS on Windows cmake: skip CA-path/bundle auto-detection in cross-builds connect: fix time_connect and time_appconnect timer statistics cookie: don't load cookies again when flushing cookie: parse without sscanf() curl.h: require gcc 12.1 for the deprecation magic curl: make -w's %{stderr} use the file set with --stderr curl_path: create the new path with dynbuf CURLOPT_PIPEWAIT: allow waited reuse also for subsequent connections CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe DEPRECATE: the original legacy mingw version 1 doc: fix compiler warning in libcurl.m4 docs/cmdline-opts: mark all global options docs/SECURITY-PROCESS.md: updates docs: extend the URL API descriptions docs: note '--data-urlencode' option DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure easy: remove infof() debug leftover from curl_easy_recv examples/http3.c: use CURL_HTTP_VERSION_3 ftp: active mode with SSL, add the filter ftp: add more conditions for connection reuse ftp: allocate the wildcard struct on demand ftp: make the EPSV response parser not use sscanf ftp: replace sscanf for MDTM 213 response parsing ftp: replace sscanf for PASV parsing gssapi: align `gss_OID_desc` to silence ld warnings on macOS ventura headers: make curl_easy_header and nextheader return different buffers hostip: avoid sscanf and extra buffer copies http2: fix error handling during parallel operations http2: fix for http2-prior-knowledge when reusing connections http2: fix handling of RST and GOAWAY to recognize partial transfers http2: fix upload busy loop http: don't send 100-continue for short PUT requests http: fix unix domain socket use in https connects http: rewrite the status line parser without sscanf http_proxy: parse the status line without sscanf idn: return error if the conversion ends up with a blank host krb5: avoid sscanf for parsing lib1560: test parsing URLs with ridiculously large fields lib2305: deal with CURLE_AGAIN lib517: verify time stamps without leading zeroes plus some more lib: silence clang/gcc -Wvla warnings in brotli headers lib: skip Curl_llist_destroy calls libcurl-errors.3: add the CURLHcode errors from curl_easy_header.3 libssh2: only set the memory callbacks when debugging libssh2: remove unused variable from libssh2's struct libssh: use dynbuf instead of realloc Makefile.mk: delete redundant `HAVE_LDAP_SSL` macro Makefile.mk: fix -g option in debug mode mqtt: on send error, return error multi: make multi_perform ignore/unignore signals less often multi: remove PENDING + MSGSENT handles from the main linked list ngtcp2-gnutls.yml: bump to gnutls 3.8.0 ngtcp2: fix unwanted close of file descriptor 0 page-footer: add explanation for three missing exit codes parsedate: parse strings without using sscanf() parsedate: replace sscanf( for time stamp parsing quic/schannel: fix compiler warnings rand: use arc4random as fallback when available rate.d: single URLs make no sense in --rate example RELEASE-PROCEDURE.md: update coming release dates rtsp: avoid sscanf for parsing runtests: use a hash table for server port numbers sectransp: fix compiler warning c89 mixed code/declaration sectransp: make read_cert() use a dynbuf when loading secure-transport: fix recv return code handling select: stop treating POLLRDBAND as an error setopt: move the CURLOPT_CHUNK_DATA pointer to the set struct socket: detect "dead" connections better, e.g. not fit for reuse src: silence wmain() warning for all build methods telnet: only accept option arguments in ascii telnet: parse NEW_ENVIRON without sscanf telnet: parse telnet options without sscanf telnet: parse the WS= argument without sscanf test1470: test socks proxy using unix sockets and connect to https test1960: verify CURL_SOCKOPT_ALREADY_CONNECTED test2600: detect when ALARM_TIMEOUT is in use and adjust test422: verify --next used without a prior URL tests/http: add pytest to GHA and improve tests tests: add `cookies` features tests: add timeout, SLOWDOWN and DELAY keywords to tests tests: fix gnutls-serv check tests: fix MSVC unreachable code warnings in unit tests tests: hack to build most unit tests under cmake tests: HTTP server fixups tests: keep cmake unit tests names in sync tests: make CPPFLAGS common to all unit tests tests: make first.c the same for both lib tests and unit tests tests: support for imaps/pop3s/smtps protocols tests: sync option lists in runtests.pl & its man page tests: test secure mail protocols with explicit SSL requests tests: use AM_CPPFILES to modify flags in unit tests tests: use dynamic ports numbers in pytest suite tool: dump headers even if file is write-only tool: improve --stderr handling tool_getparam: don't add a new node for just --no-remote-name tool_getparam: error if --next is used without a prior URL tool_operate: avoid fclose(NULL) on bad header dump file tool_operate: propagate error codes for missing URL after --next tool_progress: shut off progress meter for --silent in parallel tool_writeout_json. fix the output for duplicate header names transfer: limit Windows SO_SNDBUF updates to once a second url: fix cookielist memleak when curl_easy_reset url: fix logic in connection reuse to deny reuse on "unclean" connections url: fix the SSH connection reuse check url: only reuse connections with same GSS delegation url: remove dummy protocol handler urlapi: '%' is illegal in host names urlapi: avoid mutating internals in getter routine urlapi: parse IPv6 literals without ENABLE_IPV6 urlapi: take const args in _dup and _get functions wildcard: remove files and move functions into ftplistparser.c winbuild: fix makefile clean wolfssl: add quic/ngtcp2 detection in cmake, and fix builds wolfSSL: ressurect the BIO `io_result` ws: keep the socket non-blocking x509asn1.c: use correct format specifier for infof() call x509asn1: use plain %x, not %lx, when the arg is an int Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- lfs/curl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/curl b/lfs/curl index feb4fa810..995f63cd5 100644 --- a/lfs/curl +++ b/lfs/curl @@ -24,7 +24,7 @@ include Config -VER = 7.88.1 +VER = 8.1.0 THISAPP = curl-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = ed7e7aa29efb02fd89a53d5c8d0ec79b4d17612ea07d2a6b5a951f0ca651b4cf7264704344b1a0c2d82196f4cb5c08525e06b4cdd432bc3278ff23c7a6580839 +$(DL_FILE)_BLAKE2 = 768a824b8f5f6ddaa073599c4106f07a8134bcbe0e0d666390be1bce16ba25386d85930853bb47bc90b2c8a499a0b2abb9c685042563801e0fe58b9c315ac6cc install : $(TARGET) -- 2.40.1

2 10

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development June 2023