- Update from version 7.88.1 to 8.1.0 - Update of rootfile not required - Changelog Fixed in 8.1.0 - May 17 2023 Changes: curl: add --proxy-http2 CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 hostip: refuse to resolve the .onion TLD tool_writeout: add URL component variables Bugfixes: amiga: Fix CA certificate paths for AmiSSL and MorphOS autotools: sync up clang picky warnings with cmake aws-sigv4.d: fix region identifier in example bufq: simplify since expression is always true cf-h1-proxy: skip an extra NULL assign cf-h2-proxy: fix processing ingress to stop too early cf-socket: add socket recv buffering for most tcp cases cf-socket: Disable socket receive buffer by default cf-socket: remove dead code discovered by PVS cf-socket: turn off IPV6_V6ONLY on Windows if it is supported checksrc: check for spaces before the colon of switch labels checksrc: find bad indentation in conditions without open brace checksrc: fix SPACEBEFOREPAREN for conditions starting with "*" ci: `-Wno-vla` no longer necessary CI: fix brew retries on GHA CI: Set minimal permissions on workflow ngtcp2-quictls.yml CI: skip Azure for commits which change only GHA CI: use another glob syntax for matching files on Appveyor cmake: bring in the network library on Haiku cmake: do not add zlib headers for openssl CMake: make config version 8 compatible with 7 cmake: picky-linker fixes for openssl, ZLIB, H3 and more cmake: set SONAME for SunOS too cmake: speed up and extend picky clang/gcc options CMakeLists.txt: fix typo for Haiku detection compressed.d: clarify the words on "not notifying headers" config-dos.h: fix SIZEOF_CURL_OFF_T for MS-DOS/DJGPP configure: don't set HAVE_WRITABLE_ARGV on Windows configure: fix detection of apxs (for httpd) configure: make quiche require quiche_conn_send_ack_eliciting connect: fix https connection setup to treat ssl_mode correctly content_encoding: only do transfer-encoding compression if asked to cookie: address PVS nits cookie: clarify that init with data set to NULL reads no file curl: do NOT append file name to path for upload when there's a query curl_easy_getinfo.3: typo fix (duplicated "from the") curl_easy_unescape.3: rename the argument curl_path: bring back support for SFTP path ending in /~ curl_url_set.3: mention that users can set content rather freely CURLOPT_IPRESOLVE.3: this for host names, not IP addresses data.d: emphasize no conversion digest: clear target buffer doc: curl_mime_init() strong easy binding was relaxed in 7.87.0 docs/cmdline-opts: document the dotless config path docs/examples/protofeats.c: outputs all protocols and features docs/libcurl/curl_*escape.3: rename "url" argument to "input"/"string" docs/SECURITY-ADVISORY.md: how to write a curl security advisory docs: bump the minimum perl version to 5.6 docs: clarify that more backends have HTTPS proxy support dynbuf: never allocate larger than "toobig" easy_cleanup: require a "good" handle to act ftp: fix 'portsock' variable was assigned the same value ftp: remove dead code ftplistparser: move out private data from public struct ftplistparser: replace realloc with dynbuf gen.pl: error on duplicated See-Also fields getpart: better handle case of file not found GHA-linux: add an address-sanitizer build GHA: add a memory-sanitizer job GHA: run all linux test jobs with valgrind GHA: suppress git clone output GIT-INFO: add --with-openssl gskit: various compile errors in OS400 h2/h3: replace `state.drain` counter with `state.dselect_bits` hash: fix assigning same value headers: clear (possibly) lingering pointer in init hostcheck: fix host name wildcard checking hostip: add locks around use of global buffer for alarm() hostip: enforce a maximum DNS cache size independent of timeout value HTTP-COOKIES.md: mention the #HttpOnly_ prefix http2: always EXPIRE_RUN_NOW unpaused http/2 transfers http2: do flow window accounting for cancelled streams http2: enlarge the connection window http2: flow control and buffer improvements http2: move HTTP/2 stream vars into local context http2: pass `stream` to http2_handle_stream_close to avoid NULL checks http2: remove unused Curl_http2_strerror function declaration HTTP3/quiche: terminate h1 response header when no body is sent http3: check stream_ctx more thoroughly in all backends HTTP3: document the ngtcp2/nghttp3 versions to use for building curl http3: expire unpaused transfers in all HTTP/3 backends http3: improvements across backends http: free the url before storing a new copy http: skip a double NULL assign ipv4.d/ipv6.d: they are "mutex", not "boolean" KNOWN_BUGS: remove fixed or outdated issues, move non-bugs lib/cmake: add HAVE_WRITABLE_ARGV check lib/sha256.c: typo fix in comment (duplicated "is available") lib1560: verify that more bad host names are rejected lib: add `bufq` and `dynhds` lib: remove CURLX_NO_MEMORY_CALLBACKS lib: unify the upload/method handling lib: use correct printf flags for sockets and timediffs libssh2: fix crash in keyboard callback libssh2: free fingerprint better libssh: tell it to use SFTP non-blocking man pages: simplify the .TH sections MANUAL.md: add dict example for looking up a single definition md(4|5): don't use deprecated iOS functions md4: only build when used mime: skip NULL assigns after Curl_safefree() multi: add handle asserts in DEBUG builds multi: add multi-ignore logic to multi_socket_action multi: free up more data earleier in DONE multi: remove a few superfluous assigns multi: remove PENDING + MSGSENT handles from the main linked list ngtcp2: adapted to 0.15.0 ngtcp2: adjust config and code checks for ngtcp2 without nghttp3 noproxy: pointer to local array 'hostip' is stored outside scope ntlm: clear lm and nt response buffers before use openssl: interop with AWS-LC OS400: fix and complete ILE/RPG binding OS400: implement EBCDIC support for recent features OS400: improve vararg emulation OS400: provide ILE/RPG usage examples pingpong: fix compiler warning "assigning an enum to unsigned char" pytest: improvements for suitable curl and error output quiche: disable pacing while pacing is not actually performed quiche: Enable IDLE egress handling RELEASE-PROCEDURE: update to new schedule rtsp: convert mallocs to dynbuf for RTP buffering rtsp: skip malformed RTSP interleaved frame data rtsp: skip NULL assigns after Curl_safefree() runtests: die if curl version can be found runtests: don't start servers if -l is given runtests: fix -c option when run with valgrind runtests: fix quoting in Appveyor and Azure test integration runtests: lots of refactoring runtests: refactor into more packages runtests: show error message if file can't be written runtests: spawn a new process for the test runner rustls: fix error in recv handling schannel: add clarifying comment server/getpart: clear target buffer before load smb: remove double assign smbserver: remove temporary files before exit socketpair: verify with a random value ssh: Add support for libssh2 read timeout telnet: simplify the implementation of str_is_nonascii() test1169: fix so it works properly everywhere test1592: add flaky keyword test1960: point to the correct path for the precheck tool test303: kill server after test tests/http: add timeout to running curl in test cases tests/http: fix log formatting on wrong exit code tests/http: fix out-of-tree builds tests/http: improved httpd detection tests/http: more tests with specific clients tests/http: relax connection check in test_07_02 tests/keywords.pl: remove tests/libtest/lib1900.c: remove tests/sshserver.pl: Define AddressFamily earlier tests: 1078 1288 1297 use valid IPv4 addresses tests: document that the unittest keyword is special tests: increase sws timeout for more robust testing tests: log a too-long Unix socket path in sws and socksd tests: make test_12_01 a bit more forgiving on connection counts tests: move pidfiles and portfiles under the log directory tests: move server config files under the pid dir tests: silence some Perl::Critic warnings in test suite tests: stop using strndup(), which isn't portable tests: switch to 3-argument open in test suite tests: turn perl modules into full packages tests: use %LOGDIR to refer to the log directory tool_cb_hdr: Fix 'Location:' formatting for early VTE terminals tool_operate: pass a long as CURLOPT_HEADEROPT argument tool_operate: refuse (--data or --form) and --continue-at combo transfer: refuse POSTFIELDS + RESUME_FROM combo transfer: skip extra assign url: fix null dispname for --connect-to option url: fix PVS nits url: remove call to Curl_llist_destroy in Curl_close urlapi: cleanups and improvements urlapi: detect and error on illegal IPv4 addresses urlapi: prevent setting invalid schemes with *url_set() urlapi: skip a pointless assign urlapi: URL encoding for the URL missed the fragment urldata: copy CURLOPT_AWS_SIGV4 value on handle duplication urldata: shrink *select_bits int => unsigned char vlts: use full buffer size when receiving data if possible vtls and h2 improvements Websocket: enhanced en-/decoding wolfssl.yml: bump to version 5.6.0 write-out.d: Use response_code in example ws: handle reads before EAGAIN better Fixed in 8.0.1 - March 20 2023 Bugfixes: fix crash in curl_easy_cleanup Fixed in 8.0.0 - March 20 2023 Changes: build: remove support for curl_off_t < 8 bytes Bugfixes: .cirrus.yml: Bump to FreeBSD 13.2 aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 BINDINGS: add Fortran binding build: drop the use of XC_AMEND_DISTCLEAN build: fix stdint/inttypes detection with non-autotools cf-socket: fix handling of remote addr for accepted tcp sockets cf-socket: if socket is already connected, return CURLE_OK cf-socket: use port 80 when resolving name for local bind CI: don't run CI jobs if only another CI was changed CI: update ngtcp2 and nghttp2 for pytest cmake: delete unused HAVE__STRTOI64 cmake: fix enabling LDAPS on Windows cmake: skip CA-path/bundle auto-detection in cross-builds connect: fix time_connect and time_appconnect timer statistics cookie: don't load cookies again when flushing cookie: parse without sscanf() curl.h: require gcc 12.1 for the deprecation magic curl: make -w's %{stderr} use the file set with --stderr curl_path: create the new path with dynbuf CURLOPT_PIPEWAIT: allow waited reuse also for subsequent connections CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe DEPRECATE: the original legacy mingw version 1 doc: fix compiler warning in libcurl.m4 docs/cmdline-opts: mark all global options docs/SECURITY-PROCESS.md: updates docs: extend the URL API descriptions docs: note '--data-urlencode' option DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure easy: remove infof() debug leftover from curl_easy_recv examples/http3.c: use CURL_HTTP_VERSION_3 ftp: active mode with SSL, add the filter ftp: add more conditions for connection reuse ftp: allocate the wildcard struct on demand ftp: make the EPSV response parser not use sscanf ftp: replace sscanf for MDTM 213 response parsing ftp: replace sscanf for PASV parsing gssapi: align `gss_OID_desc` to silence ld warnings on macOS ventura headers: make curl_easy_header and nextheader return different buffers hostip: avoid sscanf and extra buffer copies http2: fix error handling during parallel operations http2: fix for http2-prior-knowledge when reusing connections http2: fix handling of RST and GOAWAY to recognize partial transfers http2: fix upload busy loop http: don't send 100-continue for short PUT requests http: fix unix domain socket use in https connects http: rewrite the status line parser without sscanf http_proxy: parse the status line without sscanf idn: return error if the conversion ends up with a blank host krb5: avoid sscanf for parsing lib1560: test parsing URLs with ridiculously large fields lib2305: deal with CURLE_AGAIN lib517: verify time stamps without leading zeroes plus some more lib: silence clang/gcc -Wvla warnings in brotli headers lib: skip Curl_llist_destroy calls libcurl-errors.3: add the CURLHcode errors from curl_easy_header.3 libssh2: only set the memory callbacks when debugging libssh2: remove unused variable from libssh2's struct libssh: use dynbuf instead of realloc Makefile.mk: delete redundant `HAVE_LDAP_SSL` macro Makefile.mk: fix -g option in debug mode mqtt: on send error, return error multi: make multi_perform ignore/unignore signals less often multi: remove PENDING + MSGSENT handles from the main linked list ngtcp2-gnutls.yml: bump to gnutls 3.8.0 ngtcp2: fix unwanted close of file descriptor 0 page-footer: add explanation for three missing exit codes parsedate: parse strings without using sscanf() parsedate: replace sscanf( for time stamp parsing quic/schannel: fix compiler warnings rand: use arc4random as fallback when available rate.d: single URLs make no sense in --rate example RELEASE-PROCEDURE.md: update coming release dates rtsp: avoid sscanf for parsing runtests: use a hash table for server port numbers sectransp: fix compiler warning c89 mixed code/declaration sectransp: make read_cert() use a dynbuf when loading secure-transport: fix recv return code handling select: stop treating POLLRDBAND as an error setopt: move the CURLOPT_CHUNK_DATA pointer to the set struct socket: detect "dead" connections better, e.g. not fit for reuse src: silence wmain() warning for all build methods telnet: only accept option arguments in ascii telnet: parse NEW_ENVIRON without sscanf telnet: parse telnet options without sscanf telnet: parse the WS= argument without sscanf test1470: test socks proxy using unix sockets and connect to https test1960: verify CURL_SOCKOPT_ALREADY_CONNECTED test2600: detect when ALARM_TIMEOUT is in use and adjust test422: verify --next used without a prior URL tests/http: add pytest to GHA and improve tests tests: add `cookies` features tests: add timeout, SLOWDOWN and DELAY keywords to tests tests: fix gnutls-serv check tests: fix MSVC unreachable code warnings in unit tests tests: hack to build most unit tests under cmake tests: HTTP server fixups tests: keep cmake unit tests names in sync tests: make CPPFLAGS common to all unit tests tests: make first.c the same for both lib tests and unit tests tests: support for imaps/pop3s/smtps protocols tests: sync option lists in runtests.pl & its man page tests: test secure mail protocols with explicit SSL requests tests: use AM_CPPFILES to modify flags in unit tests tests: use dynamic ports numbers in pytest suite tool: dump headers even if file is write-only tool: improve --stderr handling tool_getparam: don't add a new node for just --no-remote-name tool_getparam: error if --next is used without a prior URL tool_operate: avoid fclose(NULL) on bad header dump file tool_operate: propagate error codes for missing URL after --next tool_progress: shut off progress meter for --silent in parallel tool_writeout_json. fix the output for duplicate header names transfer: limit Windows SO_SNDBUF updates to once a second url: fix cookielist memleak when curl_easy_reset url: fix logic in connection reuse to deny reuse on "unclean" connections url: fix the SSH connection reuse check url: only reuse connections with same GSS delegation url: remove dummy protocol handler urlapi: '%' is illegal in host names urlapi: avoid mutating internals in getter routine urlapi: parse IPv6 literals without ENABLE_IPV6 urlapi: take const args in _dup and _get functions wildcard: remove files and move functions into ftplistparser.c winbuild: fix makefile clean wolfssl: add quic/ngtcp2 detection in cmake, and fix builds wolfSSL: ressurect the BIO `io_result` ws: keep the socket non-blocking x509asn1.c: use correct format specifier for infof() call x509asn1: use plain %x, not %lx, when the arg is an int
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/curl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/curl b/lfs/curl index feb4fa810..995f63cd5 100644 --- a/lfs/curl +++ b/lfs/curl @@ -24,7 +24,7 @@
include Config
-VER = 7.88.1 +VER = 8.1.0
THISAPP = curl-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = ed7e7aa29efb02fd89a53d5c8d0ec79b4d17612ea07d2a6b5a951f0ca651b4cf7264704344b1a0c2d82196f4cb5c08525e06b4cdd432bc3278ff23c7a6580839 +$(DL_FILE)_BLAKE2 = 768a824b8f5f6ddaa073599c4106f07a8134bcbe0e0d666390be1bce16ba25386d85930853bb47bc90b2c8a499a0b2abb9c685042563801e0fe58b9c315ac6cc
install : $(TARGET)
- Update from version 9.4.1 to 10.0.1 - Update of rootfile not required - Tested on vm testbed and confirmed that dhcpcd worked as expected. Connection on red successfully made. - Changelog is no longer provided. For details of changes you have to look at the commits log - https://github.com/NetworkConfiguration/dhcpcd/commits
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/dhcpcd | 11 ++++++----- ...0.1-Allow-free-selection-of-MTU-by-the-user.patch} | 0 2 files changed, 6 insertions(+), 5 deletions(-) rename src/patches/{dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch => dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch} (100%)
diff --git a/lfs/dhcpcd b/lfs/dhcpcd index 2373198da..ae1b75053 100644 --- a/lfs/dhcpcd +++ b/lfs/dhcpcd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 9.4.1 +VER = 10.0.1
THISAPP = dhcpcd-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 847c7451918ac89fe384e180ec52ee4624c0f2dc73354ecb4c63b02d8d9cf0a6d164b33e5d083a05d4868079dcf6208a820b4263c80337a12be40a27517ecf87 +$(DL_FILE)_BLAKE2 = f1e93285d040b98bede86bb2e87e372afc0d1d124e7a6580c23d8d228a34ee17001fc3c2d9091b16fb082fe2f2ad7ba50c0dd7b0db2b2237ab1cff9ca152100a
install : $(TARGET)
@@ -70,13 +70,14 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch cd $(DIR_APP) && ./configure \ --prefix="" \ --sysconfdir=/var/ipfire/dhcpc \ --dbdir=/var/ipfire/dhcpc \ --libexecdir=/var/ipfire/dhcpc \ - --mandir=/usr/share/man + --mandir=/usr/share/man \ + --disable-privsep cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
diff --git a/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch b/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch similarity index 100% rename from src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch rename to src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch
Hello Adolf,
Why do we need to disable the privilege separation feature here?
-Michael
On 19 May 2023, at 12:47, Adolf Belka adolf.belka@ipfire.org wrote:
- Update from version 9.4.1 to 10.0.1
- Update of rootfile not required
- Tested on vm testbed and confirmed that dhcpcd worked as expected. Connection on red successfully made.
- Changelog is no longer provided. For details of changes you have to look at the commits log - https://github.com/NetworkConfiguration/dhcpcd/commits
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
lfs/dhcpcd | 11 ++++++----- ...0.1-Allow-free-selection-of-MTU-by-the-user.patch} | 0 2 files changed, 6 insertions(+), 5 deletions(-) rename src/patches/{dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch => dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch} (100%)
diff --git a/lfs/dhcpcd b/lfs/dhcpcd index 2373198da..ae1b75053 100644 --- a/lfs/dhcpcd +++ b/lfs/dhcpcd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 9.4.1 +VER = 10.0.1
THISAPP = dhcpcd-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 847c7451918ac89fe384e180ec52ee4624c0f2dc73354ecb4c63b02d8d9cf0a6d164b33e5d083a05d4868079dcf6208a820b4263c80337a12be40a27517ecf87 +$(DL_FILE)_BLAKE2 = f1e93285d040b98bede86bb2e87e372afc0d1d124e7a6580c23d8d228a34ee17001fc3c2d9091b16fb082fe2f2ad7ba50c0dd7b0db2b2237ab1cff9ca152100a
install : $(TARGET)
@@ -70,13 +70,14 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch
cd $(DIR_APP) && ./configure \ --prefix="" \ --sysconfdir=/var/ipfire/dhcpc \ --dbdir=/var/ipfire/dhcpc \ --libexecdir=/var/ipfire/dhcpc \
- --mandir=/usr/share/man
- --mandir=/usr/share/man \
- --disable-privsep
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
diff --git a/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch b/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch similarity index 100% rename from src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch rename to src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch -- 2.40.1
Hi Michael,
On 02/06/2023 11:01, Michael Tremer wrote:
Hello Adolf,
Why do we need to disable the privilege separation feature here?
It doesn't but I suspected that some changes would be needed to the config file to actually use it and as I don't know what would need to be changed if I built it with privilege separation then it might not work anymore.
If it is relatively easy to set privilege separation up and someone can tell me what changes I need to make in the config file and/or elsewhere then I can do a v2 version of the patch, also testing it out to confirm it works.
Regards, Adolf.
-Michael
On 19 May 2023, at 12:47, Adolf Belka adolf.belka@ipfire.org wrote:
- Update from version 9.4.1 to 10.0.1
- Update of rootfile not required
- Tested on vm testbed and confirmed that dhcpcd worked as expected. Connection on red successfully made.
- Changelog is no longer provided. For details of changes you have to look at the commits log - https://github.com/NetworkConfiguration/dhcpcd/commits
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
lfs/dhcpcd | 11 ++++++----- ...0.1-Allow-free-selection-of-MTU-by-the-user.patch} | 0 2 files changed, 6 insertions(+), 5 deletions(-) rename src/patches/{dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch => dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch} (100%)
diff --git a/lfs/dhcpcd b/lfs/dhcpcd index 2373198da..ae1b75053 100644 --- a/lfs/dhcpcd +++ b/lfs/dhcpcd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 9.4.1 +VER = 10.0.1
THISAPP = dhcpcd-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 847c7451918ac89fe384e180ec52ee4624c0f2dc73354ecb4c63b02d8d9cf0a6d164b33e5d083a05d4868079dcf6208a820b4263c80337a12be40a27517ecf87 +$(DL_FILE)_BLAKE2 = f1e93285d040b98bede86bb2e87e372afc0d1d124e7a6580c23d8d228a34ee17001fc3c2d9091b16fb082fe2f2ad7ba50c0dd7b0db2b2237ab1cff9ca152100a
install : $(TARGET)
@@ -70,13 +70,14 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch
cd $(DIR_APP) && ./configure \ --prefix="" \ --sysconfdir=/var/ipfire/dhcpc \ --dbdir=/var/ipfire/dhcpc \ --libexecdir=/var/ipfire/dhcpc \
- --mandir=/usr/share/man
- --mandir=/usr/share/man \
- --disable-privsep
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
diff --git a/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch b/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch similarity index 100% rename from src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch rename to src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch -- 2.40.1
I thought we were already using it, as dhcpcd runs like this on my system:
2353 ? S 0:10 dhcpcd: red0 [ip4] 2354 ? S 0:00 _ dhcpcd: [privileged proxy] red0 [ip4] 2392 ? S 0:00 | _ dhcpcd: [BPF ARP] red0 100.64.27.48 3276 ? S 0:00 | _ dhcpcd: [network proxy] 100.64.27.48 2355 ? S 0:00 _ dhcpcd: [control proxy] red0 [ip4]
I thought this is because it has forked different processes with different privileges that cannot be exploited as easily.
-Michael
On 2 Jun 2023, at 11:33, Adolf Belka adolf.belka@ipfire.org wrote:
Hi Michael,
On 02/06/2023 11:01, Michael Tremer wrote:
Hello Adolf, Why do we need to disable the privilege separation feature here?
It doesn't but I suspected that some changes would be needed to the config file to actually use it and as I don't know what would need to be changed if I built it with privilege separation then it might not work anymore.
If it is relatively easy to set privilege separation up and someone can tell me what changes I need to make in the config file and/or elsewhere then I can do a v2 version of the patch, also testing it out to confirm it works.
Regards, Adolf.
-Michael
On 19 May 2023, at 12:47, Adolf Belka adolf.belka@ipfire.org wrote:
- Update from version 9.4.1 to 10.0.1
- Update of rootfile not required
- Tested on vm testbed and confirmed that dhcpcd worked as expected. Connection on red successfully made.
- Changelog is no longer provided. For details of changes you have to look at the commits log - https://github.com/NetworkConfiguration/dhcpcd/commits
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
lfs/dhcpcd | 11 ++++++----- ...0.1-Allow-free-selection-of-MTU-by-the-user.patch} | 0 2 files changed, 6 insertions(+), 5 deletions(-) rename src/patches/{dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch => dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch} (100%)
diff --git a/lfs/dhcpcd b/lfs/dhcpcd index 2373198da..ae1b75053 100644 --- a/lfs/dhcpcd +++ b/lfs/dhcpcd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 9.4.1 +VER = 10.0.1
THISAPP = dhcpcd-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 847c7451918ac89fe384e180ec52ee4624c0f2dc73354ecb4c63b02d8d9cf0a6d164b33e5d083a05d4868079dcf6208a820b4263c80337a12be40a27517ecf87 +$(DL_FILE)_BLAKE2 = f1e93285d040b98bede86bb2e87e372afc0d1d124e7a6580c23d8d228a34ee17001fc3c2d9091b16fb082fe2f2ad7ba50c0dd7b0db2b2237ab1cff9ca152100a
install : $(TARGET)
@@ -70,13 +70,14 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch
cd $(DIR_APP) && ./configure \ --prefix="" \ --sysconfdir=/var/ipfire/dhcpc \ --dbdir=/var/ipfire/dhcpc \ --libexecdir=/var/ipfire/dhcpc \
- --mandir=/usr/share/man
- --mandir=/usr/share/man \
- --disable-privsep
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
diff --git a/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch b/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch similarity index 100% rename from src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch rename to src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch -- 2.40.1
-- Sent from my laptop
Hi Michael,
On 02/06/2023 12:40, Michael Tremer wrote:
I thought we were already using it, as dhcpcd runs like this on my system:
2353 ? S 0:10 dhcpcd: red0 [ip4] 2354 ? S 0:00 _ dhcpcd: [privileged proxy] red0 [ip4] 2392 ? S 0:00 | _ dhcpcd: [BPF ARP] red0 100.64.27.48 3276 ? S 0:00 | _ dhcpcd: [network proxy] 100.64.27.48 2355 ? S 0:00 _ dhcpcd: [control proxy] red0 [ip4]
I thought this is because it has forked different processes with different privileges that cannot be exploited as easily.
My bad. For some reason, and I can't figure out why now, I came to the conclusion that privilege separation had come in new with the 10.0.0 series Searching now I can see it has been there for some time, certainly already there with 9.4.1
Apologies for the confusion.
I will submit a v2 version removing the disable-privsep option.
Regards,
Adolf.
-Michael
On 2 Jun 2023, at 11:33, Adolf Belka adolf.belka@ipfire.org wrote:
Hi Michael,
On 02/06/2023 11:01, Michael Tremer wrote:
Hello Adolf, Why do we need to disable the privilege separation feature here?
It doesn't but I suspected that some changes would be needed to the config file to actually use it and as I don't know what would need to be changed if I built it with privilege separation then it might not work anymore.
If it is relatively easy to set privilege separation up and someone can tell me what changes I need to make in the config file and/or elsewhere then I can do a v2 version of the patch, also testing it out to confirm it works.
Regards, Adolf.
-Michael
On 19 May 2023, at 12:47, Adolf Belka adolf.belka@ipfire.org wrote:
- Update from version 9.4.1 to 10.0.1
- Update of rootfile not required
- Tested on vm testbed and confirmed that dhcpcd worked as expected. Connection on red successfully made.
- Changelog is no longer provided. For details of changes you have to look at the commits log - https://github.com/NetworkConfiguration/dhcpcd/commits
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
lfs/dhcpcd | 11 ++++++----- ...0.1-Allow-free-selection-of-MTU-by-the-user.patch} | 0 2 files changed, 6 insertions(+), 5 deletions(-) rename src/patches/{dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch => dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch} (100%)
diff --git a/lfs/dhcpcd b/lfs/dhcpcd index 2373198da..ae1b75053 100644 --- a/lfs/dhcpcd +++ b/lfs/dhcpcd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 9.4.1 +VER = 10.0.1
THISAPP = dhcpcd-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 847c7451918ac89fe384e180ec52ee4624c0f2dc73354ecb4c63b02d8d9cf0a6d164b33e5d083a05d4868079dcf6208a820b4263c80337a12be40a27517ecf87 +$(DL_FILE)_BLAKE2 = f1e93285d040b98bede86bb2e87e372afc0d1d124e7a6580c23d8d228a34ee17001fc3c2d9091b16fb082fe2f2ad7ba50c0dd7b0db2b2237ab1cff9ca152100a
install : $(TARGET)
@@ -70,13 +70,14 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch
cd $(DIR_APP) && ./configure \ --prefix="" \ --sysconfdir=/var/ipfire/dhcpc \ --dbdir=/var/ipfire/dhcpc \ --libexecdir=/var/ipfire/dhcpc \
- --mandir=/usr/share/man
- --mandir=/usr/share/man \
- --disable-privsep
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
diff --git a/src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch b/src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch similarity index 100% rename from src/patches/dhcpcd-9.4.0-Allow-free-selection-of-MTU-by-the-user.patch rename to src/patches/dhcpcd-10.0.1-Allow-free-selection-of-MTU-by-the-user.patch -- 2.40.1
-- Sent from my laptop
- Update from version 6.2 to 6.3 - Update of rootfile not required - Changelog Version 6.3 - May 8, 2023 * Feature: PLCA support (--[gs]et-plca-cfg, --get-plca-status) * Feature: MAC Merge layer support (--show-mm, --set-mm) * Feature: pass source of statistics for port stats * Feature: get/set rx push in ringparams (-g and -G) * Feature: coalesce tx aggregation parameters (-c and -C) * Feature: PSE and PD devices (--show-pse, --set-pse) * Fix: minor fixes of help text (--help) * Fix: fix build on systems with older system headers * Fix: fix netlink support when PLCA is not present (no option) * Fix: fixes for issues found with gcc13 -fanalyzer * Fix: fix return code in rxclass_rule_ins (-N) * Fix: more robust argc/argv handling
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/ethtool | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/ethtool b/lfs/ethtool index f2b996fa9..e6d65ea12 100644 --- a/lfs/ethtool +++ b/lfs/ethtool @@ -24,7 +24,7 @@
include Config
-VER = 6.2 +VER = 6.3
THISAPP = ethtool-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = b3fa2571b1efef3b686eb4f20b33e6cc32bdb8cff5f2e642454ca3d41c427b1953df7b07e5ac8ef149f8b4be614210e05e593233655e5fe317c48630b20b68e8 +$(DL_FILE)_BLAKE2 = c06509525db47f8ee7c220d0b880fe80323a4a00036e9698432b1b9c85ad75045e98b23498f6283497728cafd187ca173b15f3ad60f8e6f8b4d0c5688d84a1f9
install : $(TARGET)
- Update from 7.2.0 to 7.3.0 - Update of rootfile - Changelog Overview of changes leading to 7.3.0 Tuesday, May 9, 2023 - Speedup applying glyph variation in VarComposites fonts (over 40% speedup). (Behdad Esfahbod) - Speedup instancing some fonts (over 20% speedup in instancing RobotoFlex). (Behdad Esfahbod) - Speedup shaping some fonts (over 30% speedup in shaping Roboto). (Behdad Esfahbod) - Support subsetting VarComposites and beyond-64k fonts. (Behdad Esfahbod) - New configuration macro HB_MINIMIZE_MEMORY_USAGE to favor optimizing memory usage over speed. (Behdad Esfahbod) - Supporting setting the mapping between old and new glyph indices during subsetting. (Garret Rieger) - Various fixes and improvements. (Behdad Esfahbod, Denis Rochette, Garret Rieger, Han Seung Min, Qunxin Liu) - New API: +hb_subset_input_old_to_new_glyph_mapping()
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/harfbuzz | 7 ++++--- lfs/harfbuzz | 4 ++-- 2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/config/rootfiles/common/harfbuzz b/config/rootfiles/common/harfbuzz index 4798653a2..a03367254 100644 --- a/config/rootfiles/common/harfbuzz +++ b/config/rootfiles/common/harfbuzz @@ -44,15 +44,15 @@ #usr/lib/libharfbuzz-cairo.la #usr/lib/libharfbuzz-cairo.so usr/lib/libharfbuzz-cairo.so.0 -usr/lib/libharfbuzz-cairo.so.0.60720.0 +usr/lib/libharfbuzz-cairo.so.0.60730.0 #usr/lib/libharfbuzz-subset.la #usr/lib/libharfbuzz-subset.so usr/lib/libharfbuzz-subset.so.0 -usr/lib/libharfbuzz-subset.so.0.60720.0 +usr/lib/libharfbuzz-subset.so.0.60730.0 #usr/lib/libharfbuzz.la #usr/lib/libharfbuzz.so usr/lib/libharfbuzz.so.0 -usr/lib/libharfbuzz.so.0.60720.0 +usr/lib/libharfbuzz.so.0.60730.0 #usr/lib/pkgconfig/harfbuzz-cairo.pc #usr/lib/pkgconfig/harfbuzz-subset.pc #usr/lib/pkgconfig/harfbuzz.pc @@ -128,6 +128,7 @@ usr/lib/libharfbuzz.so.0.60720.0 #usr/share/gtk-doc/html/harfbuzz/api-index-6-0-0.html #usr/share/gtk-doc/html/harfbuzz/api-index-7-0-0.html #usr/share/gtk-doc/html/harfbuzz/api-index-7-1-0.html +#usr/share/gtk-doc/html/harfbuzz/api-index-7-3-0.html #usr/share/gtk-doc/html/harfbuzz/api-index-full.html #usr/share/gtk-doc/html/harfbuzz/apple-advanced-typography-api.html #usr/share/gtk-doc/html/harfbuzz/buffers-language-script-and-direction.html diff --git a/lfs/harfbuzz b/lfs/harfbuzz index 15cc9ff13..bfc40dba3 100644 --- a/lfs/harfbuzz +++ b/lfs/harfbuzz @@ -24,7 +24,7 @@
include Config
-VER = 7.2.0 +VER = 7.3.0
THISAPP = harfbuzz-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 247746d6a0f132a0d6b0c461d9e96a4fe76bc08bca4d05b28a034de60afee8e049d798fdf3962b892b33424245d8f00a63d6068b034e80ad9d7733180e8533c1 +$(DL_FILE)_BLAKE2 = 7b1f6fb0c4c7483ff7a7c27f613b8579af30a304432e1a4e157aec4344449aed93e68443df1f2bc741be6780a6b2214d54804e2df9a20d83c8256b5f98c7fcda
install : $(TARGET)
- Update from version 2.67 to 2.69 - Update of rootfile - Changelog Release notes for 2.69 2023-05-14 19:10:04 -0700 An audit was performed on libcap and friends by https://x41-dsec.de/ https://x41-dsec.de/news/2023/05/15/libcap-source-code-audit/ The audit (final report, 2023-05-10) https://drive.google.com/file/d/1lsuC_tQbQ5pCE2Sy_skw0a7hTzQyQh2C/view?usp=s... was sponsored by the the Open Source Technology Improvement Fund, https://ostif.org/ (blog). Five issues were found. Four of them are addressed in this release. Each issue was labeled in the audit results as follows: LCAP-CR-23-01 (SEVERITY) LOW (CVE-2023-2602) - found by David Gstir LCAP-CR-23-02 (SEVERITY) MEDIUM (CVE-2023-2603) - found by Richard Weinberger LCAP-CR-23-100 (SEVERITY) NONE LCAP-CR-23-101 (SEVERITY) NONE Man page style improvement from Emanuele Torre Partially revive the ability to build the binaries fully statically. This was needed to make bleeding edge kernel debugging/testing via qemu+busybox work again. Addressing an issue I realized only when I tried to answer this stackexchange question. https://unix.stackexchange.com/questions/741532/launch-process-with-limited-... Release notes for 2.68 2023-03-25 17:03:17 -0700 Force libcap internal functions to be hidden outside the library (Bug 217014) Expanded the list of man page (links) to all of the supported API functions. fixed some formatting issues with the libpsx(3) manpage. Add support for a markdown preamble and postscript when generating .md versions of the man pages (Bug 217007) psx package clean up fix some copy-paste errors with TestShared() added a more complete psx testing into this test as well cap package clean up drop an unnecessary use of ", _" in the sources cleaned up cap.NamedCount documentation Converted goapps/web/README to .md format and fixed the instructions to indicate go mod tidy is needed. cap_compare test binary now cleans up after itself (Bug 217018) Figured out how to cross compile Go programs for arm (i.e. RPi) that use C code, don't use cgo but do use the psx package (all part of investigating bug 216610). Eliminate use of vendor directory
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/libcap | 8 ++++++-- lfs/libcap | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/common/libcap b/config/rootfiles/common/libcap index af1c22e83..f331e2a43 100644 --- a/config/rootfiles/common/libcap +++ b/config/rootfiles/common/libcap @@ -6,20 +6,22 @@ sbin/setcap #usr/include/sys/psx_syscall.h usr/lib/libcap.so usr/lib/libcap.so.2 -usr/lib/libcap.so.2.67 +usr/lib/libcap.so.2.69 #usr/lib/libpsx.so #usr/lib/libpsx.so.2 -usr/lib/libpsx.so.2.67 +usr/lib/libpsx.so.2.69 #usr/lib/pkgconfig/libcap.pc #usr/lib/pkgconfig/libpsx.pc #usr/lib/security usr/lib/security/pam_cap.so #usr/share/man/man1/capsh.1 +#usr/share/man/man3/__psx_syscall.3 #usr/share/man/man3/cap_clear.3 #usr/share/man/man3/cap_clear_flag.3 #usr/share/man/man3/cap_compare.3 #usr/share/man/man3/cap_copy_ext.3 #usr/share/man/man3/cap_copy_int.3 +#usr/share/man/man3/cap_copy_int_check.3 #usr/share/man/man3/cap_drop_bound.3 #usr/share/man/man3/cap_dup.3 #usr/share/man/man3/cap_fill.3 @@ -71,6 +73,7 @@ usr/lib/security/pam_cap.so #usr/share/man/man3/cap_set_nsowner.3 #usr/share/man/man3/cap_set_proc.3 #usr/share/man/man3/cap_set_secbits.3 +#usr/share/man/man3/cap_set_syscall.3 #usr/share/man/man3/cap_setgroups.3 #usr/share/man/man3/cap_setuid.3 #usr/share/man/man3/cap_size.3 @@ -80,6 +83,7 @@ usr/lib/security/pam_cap.so #usr/share/man/man3/capsetp.3 #usr/share/man/man3/libcap.3 #usr/share/man/man3/libpsx.3 +#usr/share/man/man3/psx_load_syscalls.3 #usr/share/man/man3/psx_set_sensitivity.3 #usr/share/man/man3/psx_syscall.3 #usr/share/man/man3/psx_syscall3.3 diff --git a/lfs/libcap b/lfs/libcap index 63f4ef8b0..951ed80dc 100644 --- a/lfs/libcap +++ b/lfs/libcap @@ -24,7 +24,7 @@
include Config
-VER = 2.67 +VER = 2.69
THISAPP = libcap-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = bd9be22e439397a3c1726093cfee2410df93773b3139d50a1cdc10daecb666ddb9b64daded6e0ec9f2fd6defd16ea156dbd66bd55360ea266131f31ea0f0e989 +$(DL_FILE)_BLAKE2 = 94d1fef7666a1c383a8b96f1f6092bd242164631532868b628d2f5de71b42a371d041a978ef7fbadfee3eeb433165444995d1078cd790275bc0433a7875a697e
install : $(TARGET)
- Update from version 3.8.1 to 3.9 - Update of rootfile - Changelog NEWS for the Nettle 3.9 release This release includes bug fixes, several new features, a few performance improvements, and one performance regression affecting GCM on certain platforms. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.7 and libhogweed.so.6.7, with sonames libnettle.so.8 and libhogweed.so.6. This release includes a rewrite of the C implementation of GHASH (dating from 2011), as well as the plain x86_64 assembly version, to use precomputed tables in a different way, with tables always accessed in the same sequential manner. This should make Nettle's GHASH implementation side-channel silent on all platforms, but considerably slower on platforms without carry-less mul instructions. E.g., benchmarks of the C implementation on x86_64 showed a slowdown of 3 times. Bug fixes: * Fix bug in ecdsa and gostdsa signature verify operation, for the unlikely corner case that point addition really is point duplication. * Fix for chacha on Power7, nettle's assembly used an instruction only available on later processors. Fixed by Mamone Tarsha. * GHASH implementation should now be side-channel silent on all architectures. * A few portability fixes for *BSD. New features: * Support for the SM4 block cipher, contributed by Tianjia Zhang. * Support for the Balloon password hash, contributed by Zoltan Fridrich. * Support for SIV-GCM authenticated encryption mode, contributed by Daiki Ueno. * Support for OCB authenticated encryption mode. * New exported functions md5_compress, sha1_compress, sha256_compress, sha512_compress, based on patches from Corentin Labbe. Optimizations: * Improved sha256 performance, in particular for x86_64 and s390x. * Use GMP's mpn_sec_tabselect, which is implemented in assembly on many platforms, and delete the similar nettle function. Gives a modest speedup to all ecc operations. * Faster poly1305 for x86_64 and ppc64. New ppc code contributed by Mamone Tarsha. Miscellaneous: * New ASM_FLAGS variable recognized by configure. * Delete all arcfour assembly code. Affects 32-bit x86, 32-bit and 64-bit sparc. Known issues: * Version 6.2.1 of GNU GMP (the most recent GMP release as of this writing) has a known issue for MacOS on 64-bit ARM: GMP assembly files use the reserved x18 register. On this platform it is recommended to use a GMP snapshot where this bug is fixed, and upgrade to a later GMP release when one becomes available. * Also on MacOS, Nettle's testsuite may still break due to DYLD_LIBRARY_PATH being discarded under some circumstances. As a workaround, use * make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)'
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/nettle | 8 ++++++-- lfs/nettle | 6 +++--- 2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle index a9f8aca43..3c0331406 100644 --- a/config/rootfiles/common/nettle +++ b/config/rootfiles/common/nettle @@ -8,6 +8,7 @@ #usr/include/nettle/arcfour.h #usr/include/nettle/arctwo.h #usr/include/nettle/asn1.h +#usr/include/nettle/balloon.h #usr/include/nettle/base16.h #usr/include/nettle/base64.h #usr/include/nettle/bignum.h @@ -48,6 +49,7 @@ #usr/include/nettle/nettle-meta.h #usr/include/nettle/nettle-types.h #usr/include/nettle/nist-keywrap.h +#usr/include/nettle/ocb.h #usr/include/nettle/pbkdf2.h #usr/include/nettle/pgp.h #usr/include/nettle/pkcs1.h @@ -65,7 +67,9 @@ #usr/include/nettle/sha2.h #usr/include/nettle/sha3.h #usr/include/nettle/siv-cmac.h +#usr/include/nettle/siv-gcm.h #usr/include/nettle/sm3.h +#usr/include/nettle/sm4.h #usr/include/nettle/streebog.h #usr/include/nettle/twofish.h #usr/include/nettle/umac.h @@ -74,9 +78,9 @@ #usr/include/nettle/yarrow.h usr/lib/libhogweed.so usr/lib/libhogweed.so.6 -usr/lib/libhogweed.so.6.6 +usr/lib/libhogweed.so.6.7 #usr/lib/libnettle.so usr/lib/libnettle.so.8 -usr/lib/libnettle.so.8.6 +usr/lib/libnettle.so.8.7 #usr/lib/pkgconfig/hogweed.pc #usr/lib/pkgconfig/nettle.pc diff --git a/lfs/nettle b/lfs/nettle index 779b87199..2d01f9557 100644 --- a/lfs/nettle +++ b/lfs/nettle @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 3.8.1 +VER = 3.9
THISAPP = nettle-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 22b4ec81645b579504356597ba87b637e46285682020c90e03ecaea386ac9b48eaf91ee76ae3b86b6060be355de20c320ab3b74958074ad23fc08ad9ab6a4cbb +$(DL_FILE)_BLAKE2 = 80885fa380de58765155a5d4b209e524f4bd0336156ba6f5189702007438998094df0e4e801370fd0a74251b8cf91f46638b0c0139388c2c2098b1207ed3415c
install : $(TARGET)
- Update from version 1.5.2 to 1.5.3 - Update of rootfile - Changelog Release 1.5.3 * configure: added options to configure stylesheets. * configure: added --enable-logind option to use logind instead of utmp in pam_issue and pam_timestamp. * pam_modutil_getlogin: changed to use getlogin() from libc instead of parsing utmp. * Added libeconf support to pam_env and pam_shells. * Added vendor directory support to pam_access, pam_env, pam_group, pam_faillock, pam_limits, pam_namespace, pam_pwhistory, pam_sepermit, pam_shells, and pam_time. * pam_limits: changed to not fail on missing config files. * pam_pwhistory: added conf= option to specify config file location. * pam_pwhistory: added file= option to specify password history file location. * pam_shells: added shells.d support when libeconf and vendordir are enabled. * Deprecated pam_lastlog: this module is no longer built by default because it uses utmp, wtmp, btmp and lastlog, but none of them are Y2038 safe, even on 64bit architectures. pam_lastlog will be removed in one of the next releases, consider using pam_lastlog2 (from https://github.com/thkukuk/lastlog2) and/or pam_wtmpdb (from https://github.com/thkukuk/wtmpdb) instead. * Deprecated _pam_overwrite(), _pam_overwrite_n(), and _pam_drop_reply() macros provided by _pam_macros.h; the memory override performed by these macros can be optimized out by the compiler and therefore can no longer be relied upon. * Multiple minor bug fixes, portability fixes, documentation improvements, and translation updates.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/pam | 5 ++--- lfs/pam | 6 +++--- 2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/config/rootfiles/common/pam b/config/rootfiles/common/pam index 88e155f77..e25fc9c26 100644 --- a/config/rootfiles/common/pam +++ b/config/rootfiles/common/pam @@ -10,6 +10,7 @@ etc/security #etc/security/namespace.d #etc/security/namespace.init #etc/security/pam_env.conf +#etc/security/pwhistory.conf #etc/security/time.conf #lib/security #lib/security/faillock @@ -42,8 +43,6 @@ lib/security/pam_group.so lib/security/pam_issue.so #lib/security/pam_keyinit.la lib/security/pam_keyinit.so -#lib/security/pam_lastlog.la -#lib/security/pam_lastlog.so #lib/security/pam_limits.la lib/security/pam_limits.so #lib/security/pam_listfile.la @@ -187,6 +186,7 @@ usr/lib/libpamc.so.0.82.1 #usr/share/man/man5/pam.conf.5 #usr/share/man/man5/pam.d.5 #usr/share/man/man5/pam_env.conf.5 +#usr/share/man/man5/pwhistory.conf.5 #usr/share/man/man5/time.conf.5 #usr/share/man/man8/PAM.8 #usr/share/man/man8/faillock.8 @@ -205,7 +205,6 @@ usr/lib/libpamc.so.0.82.1 #usr/share/man/man8/pam_group.8 #usr/share/man/man8/pam_issue.8 #usr/share/man/man8/pam_keyinit.8 -#usr/share/man/man8/pam_lastlog.8 #usr/share/man/man8/pam_limits.8 #usr/share/man/man8/pam_listfile.8 #usr/share/man/man8/pam_localuser.8 diff --git a/lfs/pam b/lfs/pam index b810f787d..020de981c 100644 --- a/lfs/pam +++ b/lfs/pam @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.5.2 +VER = 1.5.3
THISAPP = Linux-PAM-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = a835034cd239bc9377419c13dda45276e8e64a33fcf714a1957ff41112fbb6dce0be8e9773afc82458a04d54bf146a0c26117d7170521fecdc0c98184cef5f4f +$(DL_FILE)_BLAKE2 = 362c939f3afc343e6f4e78e7f6ba6f7a9c6ee0a9948bb5a4fc34cecfd29e9fa974082534d4ceedd04d8d3e34c7b3ef43d2a07ba5f41d26da04ec8330fc3790fb
install : $(TARGET)
-
Adolf Belka -
Michael Tremer